• SOFTWARE DEVELOPMENT 




The Industry Newspaper for Software Development Managers 



INTEL-BASED MACS WERE 
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BY ALEX HANDY 

SAN FRANCISCO — At the 
Macworld Expo, which took 
place during the second week 
of January at the Moscone Cen- 
ter here, Apple Computer 
announced the release of its 
first wave of Intel-based com- 
puters, and Intel responded by 
offering developers a glance at 
beta versions of its new Xcode 
tool set. While developer-tar- 
geted news was scarce on the 
show floor, there were a num- 
ber of smaller tools on display, 
many of them targeted at File- 
Maker users. 

Intel's new Mac developer 
tools include a Fortan compiler, 
a C++ compiler, a math opera- 
tions optimization library and 



performance primitives for 
speeding up multimedia pro- 
cesses. All should be ready for 
commercial release during the 
second quarter of 2006, said 
the company. Beta versions can 
be downloaded at www.intel 
. com/software/apple . 

Newcomer Andescotia 
Software was hosting one of 
just a few developer-specific 
kiosks at the show. The company 
has announced the release 
of Marten 1.3, a visual program- 
ming environment for Mac 
OS X. Marten is an almost 
entirely mouse-based program- 
ming environment in the vein 
of RealSoftware's RealBasic. 
The IDE, however, can output 
► continued on page 18 



Subversion 
Team Sees 
Bright Future 

But CVS maintainer says earlier 
version tracker is alive and well 



BY ALEX HANDY 

Proponents of the open-source 
version-tracking system Subver- 
sion received a new version for 
the new year. Subversion 1.3 was 
released during the first week of 
2006, and with the revision 
comes a number of new features, 
including better integration with 
Apache's logging capabilities and 
more than 30 bug fixes. 




^ - 




CVS development has been picking 
up in the past year or two, says 
Price, a CVS training consultant. 



Garrett Rooney is an open- 
source developer at CollabNet, 
and works full-time on Subver- 
sion. He believes one of the key 
benefits of Subversion is that 
it was designed to be used on 
a network. The older, earlier 
open-source version-control sys- 
tem, CVS, behaves unpre- 
dictably in that kind of environ- 
ment, he claimed. "CVS is a very 
old version-control system, and 
it's sort of evolved over the years 
incrementally. In some cases 
that's good; but in this case, it's 
this simple tool and a lot of 
things feel thrown together." 

Derek Price is a CVS train- 
ing consultant and one of its 
three major maintainers. While 
he admits that CVS has lost 
some of its momentum in 
recent years, he said that the 
version-control project is far 
from dead. "Active develop- 
ment on CVS is somewhat slow 
and it has been for years," said 
► continued on page 21 



The Race Is On to Debug Dual-Core Deadlocks 

Exploring best practices for building parallel applications 

BY JENNIFER DEJONG 

You write a program. You test 
it. You ship it. Then, mysteri- 
ously, it doesn't run. 

What's the culprit? Most 
likely, a deadlock or a race 

condition, said I 

' COVERITY 

James Rem- 

ders, a senior 
engineer at In- 
tel. Both errors 

can grind a multithreaded appli- 
cation to a halt, and are notori- 
ously difficult to detect. "They 
simply don't exist in sequential 
programs," he said. 

Deadlocks and race condi- 
tions aren't new; they've afflicted 
multiprocessor systems, particu- 
larly large servers, for many 
years. But dual-core processors 
for the desktop, delivered by 
AMD and Intel last year, are 
bringing them to the fore. That's 
generating renewed interest in 
► continued on page 14 
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Microsoft Tries Its Hand at Open Source 

.NET apps made with IronPython beta already outpace rivals, claims creator 



BY ANDY PATRIZI0 

With the first beta release of 
IronPython, Microsoft is testing 
not just its first dynamic lan- 
guage, but also the first open- 
source project adopted for 
release under its own name, 
while preserving the open 
nature of the effort. 

While other open-source 
developers have joined Micro- 
soft — notably Wiki inventor 
Ward Cunningham — this is the 
first time Microsoft has adopted 
an open-source project to 
release with the Microsoft name. 

IronPython is an implemen- 
tation of the Python language for 
.NET started by Jim Hugunin, 
creator of Jython (Python for 
Java) and AspectJ. He was hired 
by Microsoft in late 2004 to 
continue work on IronPython, 
which at the time had a develop- 
ment community of one. 

IronPython is written in C# 
and is available under the 
Microsoft Permissive License 
(Ms-PL), allowing developers 
to use, modify and freely re- 
distribute the licensed code for 
both commercial and noncom- 
mercial purposes. Of the im- 
plementation, Hugunin said 
that he has "refused to compro- 
mise on Python language com- 
patibility." 



According to Hugunin, the 
technology shows great perfor- 
mance potential. While the lan- 
guage was still in the alpha 
stages, Hugunin was claiming 
application performance nearly 
double that of Python 2.3. Iron- 
Python applications are com- 
piled into bytecode and execut- 
ed by an interactive interpreter 
and on-the-fly compiler, like 
standard Python. 

However, IronPython also 
supports static compilation of 
Python code to produce exe- 
cutables, or static dynamic link 



libraries that can be called 
from other .NET languages, 
such as C# and Visual Basic. 

Currently there are no plans 
to provide official support for 
IronPython in Visual Studio, 
but Hugunin said it will be a 
part of an SDK Microsoft plans 
to release later this year. 
Microsoft declined to give any 
details of what else the SDK 
would contain. 

IN AN ACTIVE STATE 

Hugunin said that Microsoft is 
willing to work with third par- 



ties interested in using the 
code, leaving open the possibil- 
ity of third-party support. 

One obvious choice to 
adopt IronPython would be 
ActiveState, maker of the 
Komodo IDE, which supports 
Python. David Ascher, man- 
aging director and chief tech- 
nologist at ActiveState, said 
the company has known about 
IronPython since before it 
was a Microsoft project, and it 
is following the project's 
progress. He thinks it's possi- 
ble for Komodo to support 



IronPython. 

"Our early tests indicate that 
there are some current incom- 
patibilities, but it's likely that 
those will be ironed out soon," 
he said. "Naturally, we'll do 
what we need to do to ensure 
that if and when IronPython 
becomes commercially signifi- 
cant, it will be usable from 
Komodo," he said. 

Microsoft expects to release 
the final version some time 
this year. The beta code can be 
downloaded from workspaces 
.gotdotnet.com/ironpython. I 



Cider Designed to Make WPF-Based Apps Not Hard 

Microsoft claims visual forms designer will ease Avalon-based applications 



BY ANDY PATRIZIO 

The next version of Visual Stu- 
dio will have a new component, 
a visual design tool for building 
applications using Microsoft's 
upcoming Windows Presenta- 
tion Foundation (WPF) subsys- 
tem, code-named Avalon. 

The design tool is currently 
code-named Cider and will be 
a part of the next Visual Stu- 
dio, code-named Orcas, due in 
2007. Orcas is expected to 
support Windows Vista appli- 
cation development, since 



Vista is due later this year with 
a number of new foundation 
libraries. 

Microsoft released Cider in 
late December as part of a 
Community Technology Pre- 
view (CTP) for Orcas WinFX 
Development Tools. The Orcas 
WinFX Development Tools 
CTP is designed to help devel- 
opers get a jump-start on 
building WinFX applications. 
Cider is in a fairly early state 
right now, but it does allow 
developers to build and debug 



applications. 

In a video introducing Cider 
found on Channel 9 — 
Microsoft's streaming media 
site for MSDN — Mark Boulter, 
a program manager for 
Microsoft, said that the aim of 
Cider is to give business app 
developers a designer that 
offers an experience similar to 
that of Microsoft's current 
forms editor tools. 

"One of the key goals we 
have is to enable designers and 
developers to work much more 



BZ MEDIA TO LAUNCH ECLIPSE REVIEW eclipse 



Publisher introduces 

BY ALAN ZEICHICK 

Ever since Eclipse spun off 
from IBM in 2001, the open- 
source tools framework's trajec- 
tory has been straight up. At SD 
Times, we've chronicled the 
increased popularity of Eclipse, 
and how it has risen to become 
one of the two dominant tools 
platforms for enterprise devel- 
opers (the other being Micro- 
soft's Visual Studio). 

BZ Media, the parent com- 
pany behind SD Times, has 
been serving the information 
needs of the Eclipse communi- 
ty for a couple of years now, 
beginning with a successful 
"Spotlight on Eclipse" supple- 
ment to SD Times, published in 
late 2004. We followed that up 
by acquiring the EclipseSource 
newsletter from Penton Media, 
and launching EclipseWorld, 
the first independent technical 
conference for this community, 



quarterly magazine to 

in August 2005. The second 
EclipseWorld will be held this 
September in Boston. 

Now, we're kicking off a 
new quarterly print magazine, 
called Eclipse Review (www 
.EclipseReview.com). The first 
issue will appear in March. 
Eclipse Review will serve all 
IT professionals, including 
software development man- 
agers and development teams, 
using Eclipse-based tools and 
technology. 

Ted Bahr, publisher of 
Eclipse Review and president 
of BZ Media, said, "More than 
62 percent of companies sur- 
veyed in November 2005 say 
that they have adopted Eclipse 
tools and technologies, up 
from 53 percent in 2004. Near- 
ly 40 percent of organizations 
now require or prefer that new 
development tools be Eclipse- 
based or Eclipse-compatible. 



serve community 

The Eclipse market is boom- 
ing, and Eclipse Review is the 
best way for IT professionals 
and developers to gain the 
technical information they 
need about Eclipse-based tools 
and technologies, and it's the 
best way for the Eclipse indus- 
try to reach and sell to the 
growing number of Eclipse 
professionals." 

This information is from 
the Second Annual Eclipse 
Adoption Study, conducted by 
BZ Research, a subsidiary of 
BZ Media. The study was com- 
pleted in November 2005. 

Mike Milinkovich, executive 
director of the Eclipse Founda- 
tion, said, "We are delighted 
that BZ Media is launching 
Eclipse Review, which we are 
sure will be an excellent 
resource for the Eclipse com- 
munity. BZ Media has been a 
steadfast supporter of Eclipse, 




first through its Eclipse supple- 
ments to SD Times, then with 
its EclipseWorld conference 
and EclipseSource newsletter, 
and now with Eclipse Review. 
We appreciate BZ Media's 
contributions to the Eclipse 
community." 

We're just beginning to 
crank up the machinery now 
for Eclipse Review, but if you 
use Eclipse, please sign up for 
a free subscription. 

We're excited about the 
launch of Eclipse Review, and 
hope you are too! I 



closely together using these 
tools and Avalon than they 
have in the past," said Boulter 
in the video. 

Cider uses the new XML- 
based mark-up language called 
XAML (Extensible Applica- 
tion Markup Language, pro- 
nounced "Zamel") that Micro- 
soft is introducing with Vista. 
User interfaces in Vista appli- 
cations are typically built using 
XAML, which in turn runs on 
WinFX. XAML interfaces are 
built the same way a Web page 
is built in HTML — by simply 
creating a document with tags 
for the user interface elements 
needed. 

Just like writing a Web page 
in Microsoft Front Page, users 
can switch between the visual 
editor and the raw code. In 
the case of Cider, switching 
occurs between the visual 
design and XAML code, 
instead of HTML code. De- 
velopers also have the option 
of hand-coding. 

Designs can be prettied up 
with Microsoft's forthcoming 
Expression Interactive Design- 
er, code-named Sparkle. Cider 
files can be read into Sparkle, 
and vice versa, so a UI can be 
created in Cider, saved, read 
into Sparkle, given a colorful 
look, saved and loaded back 
into Cider for further editing. 
Code to perform tasks is then 
written in any of the Visual Stu- 
dio languages. 

Microsoft has launched a 
Wiki site dedicated to Cider 
on Channel 9 (channel9.msdn 
.com/wiki/default.aspx/Cider 
.HomePage). I 
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Java Wars: Enterprise Developers Show Loyalty 



BY ALAN ZEICHICK 

In spite of fierce competition 
from Microsoft's .NET plat- 
form, the usage of Java within 
the enterprise continues to 
increase, rising from 72.2 per- 
cent in 2003 to 77.4 percent 
today. And, another 6.3 percent 
say they expect to use Java with- 
in the next year. That's accord- 
ing to the fifth annual Java Use 
and Awareness Study, conduct- 
ed by BZ Research in Decem- 
ber 2005. 

BZ Research, like SD Times, 
is a division of BZ Media. This 
latest survey was completed by 
724 subscribers to SD Times, 
and has an accuracy of (+-)2.5 
percentage points. 

"The strength of our devel- 
opment team is in [the] Java/ 
J2EE technology stack. Using 
Java allows us to integrate 
open source software and pro- 
jects that accelerate develop- 
ment or enhance the existing 
functionality of our product," 
said one respondent, Bob Aga- 
malian, manager of software 
development for First Consult- 
ing Group. 

"Reasons for using Java: 
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Portability. Ease of develop- 
ment. Same code in C++ would 
have taken nearly double the 
time. APIs available in Java," 
said another, who did not wish 
to be quoted by name. 

The use of Java breaks down 
with 66.2 percent saying they use 
or will be using Java Enterprise 
Edition (J2EE or Java EE), 59.0 
percent saying they will use Java 
Standard Edition (J2SE or Java 



SE), and 9.8 percent indicating 
Java Micro Edition (J2ME or 
Java ME). While the usage of SE 
and EE remains relatively con- 
stant, within the accuracy of the 
study, the usage of ME indicates 
a statistically significant drop 
from 12.9 percent in 2003. 

When compared with BZ 
Research's most recent .NET 
Adoption Study, conducted in 
October 2005, Java usage con- 



tinues to surpass that of 
Microsoft's platform. Fully 68.4 
percent of respondents of the 
Java study say that they have 
deployed production systems 
using Java; in the .NET study, 
46.9 percent of respondents 
said they have deployed pro- 
duction systems using .NET 
While the results may not be 
directly comparable, due to the 
nature of the two studies, the 



difference does appear to be 
large enough to be significant. 

This data means, of course, 
that many shops use both plat- 
forms, or take advantage of 
interoperability between the 
two. "We build production 
J2EE Web applications. The 
real only other option would be 
.NET, but, we are already heav- 
ily invested in J2EE. Unless 
there were a compelling reason 
to switch, we will be on J2EE 
for the foreseeable future. Our 
Web services written in Java 
can always interoperate with 
other .NET islands," said Mike 
Van Riper, Web applications 
lead with VeriSign. 

That's not to say that all 
respondents had good things to 
say. "We have some tools in Java 
but our customers all prefer 
.NET All code shipped to cus- 
tomers is in .NET," said one 
respondent. "Java is too slow, 
we don't like the development 
IDE. J2EE has a large learning 
curve to become productive," 
complained another. 

"The most important reason, 

aside from a technical prefer- 

► continued on page 12 
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PowerDesigner 1 2 Boosts .NET Support 



Modeling tool automates database creation, reverse engineering 

BY ANDY patrizio its modeling and design tool for with Microsoft's .NET Frame- 2.0, Business Process Modeling 

Sybase's Powersoft division in building database applications, work and gets several major Notation, Business Process 

late January released PowerDe- With the release, PowerDe- new features. Modeling Language, the latest 

signer 12, the latest version of signer is more tightly integrated Now supported are UML databases from IBM, Microsoft, 



ONE 

Unified 

Bl 

Platform 



Web-Based 



ALL 

The Reporting 
Features You Need 



Managed Reporting 
Ad Hoc Query 
OLAP Analysis 
Dashboarding 






1 0,528 

Developers Have 

Experienced the 

LogiXML Difference 

since 2005 because of 



Technology 
Company Culture 
Aggressive Pricing 



Experience the 

PRODUCTIVITY 

Difference 






© 



LogiXML 

www.fiQgiKml.coni 



Free White Paper! 

"Implementing a Web-based 
Enterprise Bl Plafnrm" 

Download Our Free Software! 

www.freereporting.com 

1.888, LOGIXML 



Oracle and Sybase, and the new 
features in Visual Studio 2005, 
according to David Dichmann, 
product manager for PowerDe- 
signer. 

PowerDesigner 12 also fea- 
tures enhanced report genera- 
tion, with a new set of wizards 
to make reporting tasks easier. 
Reports are generated in an 
Excel-style spreadsheet, which 
can be easily imported into 
Excel, said Dichmann. "This is 
for making reports for nonmod- 
elers," he said. 

FUSION MIGRATION 

Designers looking to migrate 
from CA's AllFusion modeling 
tool will have more migration 
options for importing CA's 
ERwin models, such as import- 
ing only conceptual designs 
rather than entire models. 

On the enterprise modeling 
side, PowerDesigner offers 
more metadata management 
facilities. A new data mapping 
editor can document where 
data is being used and generate 
classes, tables or databases 
from other objects, said Dich- 
mann. This essentially allows a 
developer to reverse-engineer a 
database out of a class or an 
Enterprise JavaBean. 

By dropping a database table 
on a class, PowerDesigner cre- 
ates the dependencies by map- 
ping the table to the class. Or, 
for a database object or table 
without an application, drag 
and drop the object or table to 
an empty class and it will create 
data structures and data map- 
ping. Developers can then 
build an application around it 
with all of the data fields 
already defined in the code, 
according to Dichmann. 

The data mapping tool also 
supports application code, so 
developers can generate a data- 
base out of C# code or an EJB. 
This works for any database, 
Dichmann claimed. Likewise, a 
database can be reverse-engi- 
neered to produce object code 
or a data model for use in appli- 
cations, so developers can get a 
jump-start on building a new 
application that uses an existing 
database. 

PowerDesigner 12 comes in 
three editions: PowerDesigner 
Data Architect is just for data 
modelers and sells for US$2,995 
per seat; PowerDesigner Devel- 
oper, also $2,995, has UML and 
object modeling support and 
reverse-engineering capability; 
and PowerDesigner Studio 
Enterprise sells for $7,495, and 
adds business modeling. I 
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Java-App Profiler Ready for NetBeans 



give 
tion, 



BY ALEX HANDY 

The NetBeans development 
community in late January was 
set to release NetBeans 5.0 and 
the NetBeans Profiler, which 
should make software optimiza- 
tion a lot simpler with the abili- 
ty to profile memory usage, 
thread states and overall appli- 
cation performance. 

"There are two issues that 

Fair Isaac Revs 
Blaze Advisor 
With RETE III 

BY JENNIFER DEJONG 

Fair Isaac has boosted its busi- 
ness rules offering, incorporat- 
ing the technology it acquired 
from Burlington, Mass. -based 
RulesPower last September. 

Blaze Advisor 6.1, which the 
Minneapolis-based company 
was expected to announce last 
month, is based on the RETE 
III algorithm, enabling faster 
execution of business rules. 

The RETE family of algo- 
rithms is an inference technolo- 
gy used by business rules 
engines to figure out which rule 
to execute next. The technology 
is important to developers 
because it saves them from hav- 
ing to specify the order in which 
business rules are applied, said 
James Taylor, a vice president of 
product marketing at Fair Isaac. 

Business rules are essentially 
if-then statements that spell out, 
for example, which customers 
are entitled to which discounts. 

RETE III overcomes a sig- 
nificant limitation in RETE I, 
the public domain version of 
the algorithm. "With RETE I, it 
was difficult to use infer encing 
and get the performance you 
wanted," said Taylor. As a 
result, many developers simply 
turned off the inferencing 
engine, forcing them to reorder 
the rules each time a change, 
such as a new pricing promo- 
tion, was made. 

Fair Isaac was expected to 
ship the Java version of Blaze 
Advisor 6.1 by the end of Janu- 
ary. The COBOL and .NET edi- 
tions are planned for the second 
quarter of 2006, said Taylor. 

Also new to 6.1 are user 
interface enhancements, such 
as the ability to cut and paste 
pieces of a decision tree, and 
the ability to display rules 
authored in English in multiple 
languages, he said. I 



make profiling tough," said 
Gregg Sporar, a technology 
evangelist at Sun Microsystems. 
"Java profiling tools introduce 
too much overhead, which has 
an impact on larger programs. 
As you introduce that overhead, 



you slow down the application. 
The second issue, he said, is the 
inability to do an appropriate 
level of filtering. "You end up 
with an overflow of information. 
If I am trying to find a particular 
problem with memory alloca- 



tions, I don't want this tidal 
wave of info on every thread." 

Sporar said the NetBeans 
Profiler is tightly integrated 
within the IDE. "You don't have 
to put up this giant dashboard of 
options to get the profiler to 



you some useful informa- 
' Instead, the tool performs 
some specific types of Java 
application profiling, including 
that of CPU performance, 
memory usage and thread state. 
Sporar said the NetBeans Pro- 
filer next will add load testing, 
and a heap walker to inspect an 
application's Java heap. I 
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Give Your Users the Complete Picture 

to Help Them Make Better, Faster Decisions 

Applications that incorporate geographic information system (GIS) 
technology give users a visual way to analyze their data and make 
more informed decisions. Wiih ESRI 1 developer solutions, you can 
quickly and cost-effectively bring geography and mapping capabili- 
ties into your applications, regardless of whether you are building 
desktop, client/server, mobile, or Web applications. 

ESRI developer solutions enable you to 

► Qu ickly and tost-eff etti ueiy i Migrate GIS ca pabi lities 
into your rsew and existing applications. 

► Select tli* developer tools that fil best with your architecture 
(ESRI's developer products encompass GB components, 
servers, and Web services). 

► Use the development environment of your choice, including 
Java", .NET, COM, and C++, and deploy applications on a 
variety of platforms. 

t Access and manipulate data in multiple formats. 

To leam more about the ESRI developer solutions that are right 
far you, visit www.es ri.com/ develop. 
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Is this how you test 
SOA applications? 

Manual testing, and test coding 
aren't enough. You might find some 
bugs, but how can you prove that 
your distributed application will 
meet customer needs? 
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le" and unit test more, 
ill won't uncover missed 
. jrrts and performance flaws until it is too fate. 
iTKO's LISA agile testing environment gives everyone the 
freedom to test throughout your SOA project. 

Test early. From unit and functional tests, to regressions, 
nd performance tuning, LISA covers your 
.velopment and deployment lifecycle. 






verything. LISA is a test client to every component, 
from the website interface to back end Java and .NET 
services, databases. EJBs and messaging layers. 

Everyone tests* LISA'S no-code test fng allows developers, 
QA teams and business analysts to test every layer 
of an implementation, exactly as it will be delivered. 
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Eclipse Gets Lightweight 
Dependency Modeling 



BY EDWARD J. CORREIA 

Suffering the boxes and arrows of outra- 
geous UML? Take arms against a sea of 
scalability troubles, and by Eclipse, end 
them. 

Lattix, developer of architecture 
management tools, in mid-January 
released LDM for Eclipse, a version of 
its Lightweight Dependency Model that 
permits developers to analyze highly 
complex software systems and diagram 
component interdependencies simply. 

"The problem with UML is that it 
doesn't scale," claimed Neeraj Sangal, 
president and co-founder of the Boston- 
based Lattix, referring to UMLs method 
of illustrating software architecture, 
which uses boxes and arrows to repre- 
sent dependencies among components. 
"When you have thousands of boxes and 
arrows, it becomes very hard to follow." 

LDM illustrates complex systems 
using Design Structure Matrix (DSM), a 
decades-old technology that gained 
notoriety in the 1990s when MIT used it 
to model complex processes at Boeing, 
General Motors and Intel. Lattix claims 
to offer the first product to apply DSM 
to software systems. 

"The biggest benefit of LDM is that its 
highly scalable. We have built systems 
with 20,000 classes in them," claimed 
Sangal. The Eclipse framework itself is 
one such example, said Frank Walden, 
Lattixs co-founder and vice president. 
Lattix joined the Eclipse Foundation ear- 
lier in January as an add-in provider. 

The software is available for Linux and 
Windows in two editions, both released 
on Jan 16. A free and fully functional 
Community edition can analyze an unlim- 
ited number of systems of any size; a 
US$4,995 Enterprise edition adds the 
ability to create architecture rules that can 



permit or forbid certain dependencies. 

"Once a dependency model is created, 
rules can be designed based on those 
dependencies," explained Walden. "Then 
LDM creates a remediation list for 
dependencies that shouldn't be there," he 
said. The software then offers advice on 
how to fix or change illegal dependencies. 
"This also lets developers see who they 
impact, how they are impacted and who 
they are impacted by," added Sangal. 

The Eclipse-based tool, first unveiled 
at BZ Media's EclipseWorld Conference 
in August, is more capable than Lattixs 
stand-alone LDM product. "In the 
Eclipse version you can see the code," 
said Walden. "And if you make a viola- 
tion while you're coding, you will see the 
violation in real time. So a developer 
never has to check in code that violates 
the architecture rules." BZ Media is the 
publisher of SD Times. 

New since August is conceptual chart- 
ing, which Sangal described as a hierar- 
chical representation of complex systems 
simplified for nontechnical staff. "The 
conceptual [view] is for communicating 
[systems] to a wide audience of man- 
agers, QA people and so on." 

Sangal claimed another advantage 
over UML: better code-to-model syn- 
chronization. "Round-trip engineering is 
hard [to achieve]. With LDM, it is an 
automatic part of the build process and 
code is always synchronized." 

Walden said that UML and LDM 
also can be used together. "UML is very 
good for the detailed design. People use 
it to design class diagrams and to 
describe the system they are working on. 
[LDM] gives you the high-level, big-pic- 
ture view," he said, while maintaining an 
aggregated view. "All the interdepen- 
dencies are represented on-screen." I 




Lattix claims that its Design Structure Matrix is more scalable than UML's. 
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SPI Dynamics Paints Big Picture 



Weblnspect hones in on AJAX; AMP to offer wider view of risk 



BY JENNIFER DEJONG 

Software security tools develop- 
er SPI Dynamics has charted its 
course for 2006 and taken the 
first two steps. 



The Atlanta-based company 
was expected to release in Janu- 
ary updates to its simulation 
testing tool Weblnspect, and to 
AMP, its management offering 



for assessing application securi- 
ty risks. SPI Dynamics also 
revealed plans to tie all of its 
security tools to AMP this year, 
offering managers a compre- 



hensive view of application 
security, from coding to testing 
to production. "Companies 
looking to improve application 
security must approach it as a 
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life-cycle problem," said Erik 
Peterson, vice president of 
product management for SPI 
Dynamics. 

New to Weblnspect 5.8 is 
the ability to hone in on securi- 
ty holes associated with Asyn- 
chronous JavaScript and XML 
development methods. AJAX 
processes user requests imme- 
diately, presenting more oppor- 
tunities for hackers to exploit. 
"There are input validation 
issues galore," said Peterson. 
"Because AJAX moves applica- 
tion logic to the browser, there's 
a bigger attack surface." Some- 
times called XML injections, 
AJAX attacks are variants of 
SQL injections, where hackers 
insert malicious code into Web 
forms, accessing data meant to 
be off-limits, he said. 

RAMPING UP AMP 

Unlike its predecessor 1.1, AMP 
2.0 is tightly integrated with 
Weblnspect. That lets managers 
use AMP to orchestrate how 
teams of developers, including 
those at remote sites, use 
Weblnspect to scan Web appli- 
cations for potential flaws. For 
instance, AMP can specify a pol- 
icy that says, "Don't scan pro- 
duction Web sites during the 
day," said Peterson. It automati- 
cally uploads all test results, 
which prevents developers from 
withholding negative results, 
which they fear may reflect 
poorly on their programming 
skills, he said. In addition, AMP 
can detect the presence of rogue 
Web applications, which busi- 
ness units may have developed 
without the consent of IT man- 
agement. And, because AMP 
has been rewritten to support 
Web services, that saves devel- 
opers from having to hand-code 
each point-to-point integration, 
he said. 

With AMP 2.0, SPI has taken 
its initial steps in moving AMP 
from being a developer tool 
focused on scheduling Web 
application scans to being a 
management product that pre- 
sents a big-picture view of a 
company's overall security risk, 
said Peterson. Later this year, 
AMP will integrate not only 
with Weblnspect, but also with 
its Devlnspect and QAInspect 
products. Because AMP will 
pull data from all three security 
tools, which monitor applica- 
tions under development, in QA 
and in production, it will enable 
management to control security 
risk by tracking trends — such as 
decreasing levels of defects, 
over time, said Peterson. I 
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Compuware Is Now Making House Calls 

Offers .NET app analysis service; SecurityChecker in sync with VS 2005 



BY ANDY PATRIZIO 

Compuware in late January was 
set to upgrade its DevPartner 
SecurityChecker software secu- 
rity analyzer to support Micro- 
soft Visual Studio 2005 and add 
more rules for testing application 
security. The company also 
kicked off an on-site .NET appli- 
cation testing service. 

DevPartner SecurityCheck- 
er is an analysis tool that scans, 
locates and flags known and 
potential security vulnerabili- 
ties in Microsoft ASP.NET 
applications written in either 
C# or Visual Basic. It tests both 
the applications and their inter- 
actions with the .NET Frame- 
work, either during compile 
time or execution. 

SecurityChecker offers both 
"white box" and "black box" test- 
ing, meaning it tests code inter- 
nally, by watching and examin- 
ing code as it executes, and also 
by employing bouncing exploits, 
corrupt information and other 
hacker-style tricks to attempt to 
crash an application. 

Compuware claims that most 
security products on the market 
are black-box tools, meaning 
they test for vulnerabilities from 
outside of the application. Some 
do white-box testing, but none 
do both, and most are focused 
on C++ and Java but not on 
the Microsoft .NET languages, 
said Ken Cowan, product line 
manager for SecurityChecker. 
"We're the only product with 
rules for specific .NET tech- 
nologies. Most other products 
on the market are looking at 
common Web vulnerabilities," 
he said. 

SecurityChecker 2 is updated 
to work with Visual Studio 2005 
and Visual Studio .NET 2003 
and adds 30 new testing rules. 
The rules are focused mostly on 
integrity analysis, according to 
John Carpenter, product manag- 
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er for SecurityChecker. New 
rules include binding and secu- 
rity hacks, and attempts to cir- 
cumvent ASP validation or force 



an application into trace/debug 
mode, which could reveal infor- 
mation about the application, 
said Carpenter. 



SecurityChecker's UI has 
been enhanced and is easier to 
customize, according to Car- 
penter. Compuware is now 



offering support for customers 
through its professional services 
arm, and an on-site service for 
.NET application analysis. 

SecurityChecker 2.0 is avail- 
able now for US$12,000, for a 
floating license and one year of 
maintenance. On-site analysis is 
available separately and does 
not require a license. I 
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Fast Search & Transfer (FAST), a developer of real-time alerting 
technologies, and Neon Systems, announced a partnership to incor- 
porate FAST ESP with Neon's Shadow RTE mainframe integration soft- 
ware. The integration allows companies to find and access data resid- 
ing in mainframe systems . . . SOA Software, provider of SOA 
management and governance products, has said it will set up a formal 
consulting practice. It will offer workshops for companies to achieve 
objectives with tailored programs designed to build SOA and Web 
services. 



NEW PRODUCTS 



British Columbia-based Good Software has released ProjectKoach 
2006, a process-powered project management solution. The applica- 
tion's visual workspace allows for such functions as reguirements and 
task allocation and defect tracking, and provides real-time project sta- 
tus updates. The ProcessKoach tool embedded in ProjectKoach is for 
process engineers and is based on Object Management Group's Soft- 
ware Process Engineering Metamodel (SPEM) specification for 
exchanging models created under different processes. 



UPGRADES 



VA Software last month was to release SourceForge Enterprise Edi- 
tion 4.3, its collaborative software development platform. Version 4.3 
adds Wiki integration and a Tracker Workflow . . . Trolltech has 
announced the release of Ot 4.1, a cross-platform makefile build tool. 
Key features include support for rendering Scale Vector Graphics 
drawings and animations, and a PDF back end to the Qt printing sys- 
tem. It also includes a lightweight unit testing framework to enable 
thread and type safe testing of Qt applications . . . Infragistics has 
released NetAdvantage 2005 Volume 3. This new edition eases the 
transition from older versions of NetAdvantage and Visual Studio and 
allows users to import old projects into the new IDE . . . Aspect J has 
reached version 5, providing the first unified aspect-oriented pro- 
gramming package for Java 5. The new version also adds nearly 400 
bug fixes . . . dtSearch, supplier of enterprise and developer text 
retrieval software, has announced a .NET Spider API for its Win and 
.NET search engine in all its version 7.2 products. It also updated its 
dtSearch Engine for Linux to the "terabyte indexer" codebase 
. . . BuildForge has announced that its FullControl build and release 
management system and a plug-in for Rational Application Develop- 
er have met the requirements of IBM's "Ready for IBM Rational" inte- 
gration program. The integration for the first time gives users of IBM's 
ClearCase source repository a validated means to automate the pro- 
cessing, hand-off and documentation of application development 
across the life cycle . . . The Eclipse Foundation has released BIRT 
2.0, an update to the Business Integration and Reporting Tools project 
for Web-based J2EE applications that adds the ability to import 
CSS style sheets and create larger, persistent reports. The tool also 
now includes a scripting editor with support for Java and JavaScript, 
a code reuse library, improved charting and better support for PDF 
. . . MobileDataforce has updated PointSync, its rapid application 
development environment for extending enterprise data to devices 
running Palm OS and Windows Mobile in the field. New to version 3.0, 
released in January, is two-way synchronization support for Microsoft 
SQL Server, and about 70 new predeveloped application functions. 



PEOPLE 



Funambol, the mobile open-source software company, has announced 
Rony Greenberg as the vice president of business development 
. . . David Canelis has been appointed vice president of professional 
services and Peter Sianchuk vice president of worldwide customer 
support for Serena . . . Encirq, provider of data-centric development 
solutions, has appointed Steve Weick vice president of engineering 
and product development . . . David Lyman has joined BZ Media as an 
advertising sales manager for SD Times and Eclipse Review. Lyman, 
who had been a sales manager for Fawcette Technical Publications, will 
focus on the Northeast U.S. territory. I 



Coverity Uncovers 
Concurrency Errors 



BY JENNIFER DEJONG 

San Francisco-based Coverity 
has updated its source code 
analyzer, enabling it to detect 
errors associated with concur- 
rent programming. 

Prevent 3.2, which the 
San Francisco-based company 
announced late last year, finds 
errors such as double locks, 
missing locks and incorrect lock 
ordering in C/C + + source code, 
said Coverity product manager 
Andy Yang. "They are not 
everyday types of bugs. But 
when they happen, they are 
hard to track down." 

Locks and unlocks are used 
to manage shared functions, 
variables and resources in 
applications that execute multi- 
ple threads concurrently. 
Applying locks and unlocks 
effectively in complex applica- 
tions is difficult and requires a 
high degree of developer skill, 
said Yang. Errors are typically 



the result of incorrect use, he 
said. Prevent addresses such 
errors by tracking, for example, 
how a piece of memory is 
locked by function. It can fol- 
low complex paths through the 
code to find errors such as a 
missing unlock, or a lock that 
has been applied twice, or in 
the wrong order, said Yang. The 
tool identifies and provides 
information about errors, and 
recommends fixes. 

Also new to 3.2 is integration 
with the Eclipse framework, 
IBM Rational Software Devel- 
opment Platform and Wind 
River Workbench IDE, as well 
as more detailed reports, which 
can compare, for example, 
defect rates across multiple 
builds and releases, said Yang. 

A key reason why concurrent 
programming errors are hard to 
detect is that they are difficult to 
reproduce in the testing process. 
They typically don't manifest 



themselves until the application 
is deployed, said Yang. By scan- 
ning source code, Prevent can 
help detect such errors early in 
the development process. "But 
we are not saying we can find all 
concurrency problems. That is 
impossible," he said. 

Coverity competitor Fortify, 
in Palo Alto, Calif., also can pin- 
point problems associated with 
concurrent programming, in- 
cluding double locks and race 
conditions, which can occur 
when threads of operation con- 
tend for the same resources, 
said Fortify CTO Roger Thorn- 
ton. Source code analysis is not 
the only way to find concurrent 
errors. For instance, testing 
tools such as Compuware's 
DevPartner Studio can detect 
how parts of an application are 
locking different resources, said 
Ken Cowan, a product line 
manager for the Detroit-based 
company. I 



Java Wars: IBM Catches Up to JBoss 



< continued from page 5 

ence, is when another tool or 
SDK/API supports it. Often, 
when your options are Visual 
Basic, C# or Java, I will choose 
Java every time. I feel Java will 
provide me a longer lifecycle 
for my application," indicated 
Jeffrey McDole, IT planning 
manager at the University of 
Michigan. 

APPLICATION SERVERS 

Since 2002, the Java Use and 
Awareness Study has asked 
about Java application server 
usage. In 2002, the top app 
server was IBM's WebSphere 
(29.0 percent usage), followed 
by BEAs WebLogic (24.5 per- 
cent) then Oracle, (20.8 per- 
cent), Macromedia's JRun (14.7 
percent), JBoss (13.9 percent) 
and Sun (11.7 percent). 

IBM in 2005 reclaimed its 
crown, though the razor- thin 
margin remains a statistical 
dead heat, with IBM at 37.2 
percent and JBoss at 37.0 per- 
cent. There is also a statistical 
tie between BEA and Oracle, 
with both at 27.2 percent. Sun 
showed a strong increase to 
19.7 percent, while JRun con- 
tinues to sink, and is now at 6.8 
percent. 



"JBoss is pretty darn good. 
My impression is that folks 
mostly use it for development. 
However, it has served us well 
in a production environment," 
said Dennis Gesker, manager of 
special projects at Alamon Tel- 
co. "IBM WebSphere Applica- 
tion Server is expensive but the 
support is excellent," said Mark 
Busemeyer, systems analyst and 
development lead at Ohio 
National Financial Services. 

"A few departmental appli- 
cations run on JBoss in produc- 
tion, but for the most part JBoss 
is used for development. Cur- 
rently SAP NetWeaver is only 
used for SAP-provided applica- 
tions," said Fernando Olcoz, 
development lead at CEPSA, a 
Spanish industrial materials 
supplier. NetWeaver is current- 
ly at 4.5 percent. 

DEVELOPMENT TOOLS 

In the August 2002 Java Aware- 
ness Study, the top-ranked IDEs 
were Borland's JBuilder (34.7 
percent), Microsoft's Visual J+ + 
and Visual J# .NET (25.1 per- 
cent), Oracle's JDeveloper (24.7 
percent), WebLogic Workshop 
(11.7 percent), and Sybase's 
PowerBuilder (5.5 percent). 
How things have changed. 



In the December 2005 
study, the top development 
environment is Eclipse by a 
wide margin over the second- 
most popular, IBM's Web- 
Sphere Studio — 65.1 percent to 
20.0 percent. Eclipse usage has 
been climbing steadily, since it 
debuted in this research at 34.5 
percent in 2003. 

Borland has continued losing 
market share, falling to 19.2 per- 
cent, while Sun's NetBeans has 
remained fairly steady at 17.9 
percent. JDeveloper and BEAs 
WebLogic Workshop have also 
been falling, and are now at 15.0 
percent and 7.2 percent. 

Feelings about Eclipse are 
mixed. "Eclipse is a fantastic 
tool; I'm very impressed with the 
frequency and quality of releas- 
es," said Jeff Langr, owner of 
Langr Software Solutions. "I find 
Eclipse often too clumsy, so it is 
too bad that it is the closest thing 
to a standard and not something 
like JBuilder. That is the cost of 
vendors not working together 
and thinking they can corner a 
market niche," said Bruce Wal- 
lace, president of PolyGlot, a 
custom development firm. 

The next BZ Research Java 
Awareness Study will be con- 
ducted in late 2006. I 




IBM RATIONAL PRESENTS 




YS 



THE INCREDIBLE 

SHRINKING 

DEADLINE 



MAIN ATTRACTIONS 



KNOCKOUT 
INNOVATION 



INTEGRATED DEVELOPMENT TOOLS SUPPORTING ASSET- 
BASED DEVELOPMENT * BASED ON ECLIPSE" * RUNS ACROSS 
MULTIPLE PLATFORMS INCLUDING LINUX' 



POWER TO CREATE BETTER SOFTWARE FASTER 

ISM MIDDLEWARE. POWERFUL. PROVEN. FIGHT BACK AT WWW.IBM.COM/MIDDLEWARE/T00L5 

AND DOtfNLOAJ) TRIAL VERSIONS OF RATIONAL SOFTWARE MODELER 1 RATIONAL ROFTVADE ARCHITECT 

iflu ihh EM -qqq «jht Mni«-*ipi pi if- inniFiqd "idflmmK* ?i iiDrfflfgrSe oi iTl gm p tM iil Bupipni M^h'TW Oonpcr-KMin n \\m Unhnri Slefa* fliJ^ ctlhm min\nm 
Fnfcpw h i l^cbnyit d Fclta* FrwidaJiuii i •Hi,ui h >iuu I Jd llT llIk =d I rn* Tcr**M* t-?KH. 'AM Ca^jiiiiiiii Al L*ly <vflui«l 



14 



NEWS 



Software Development Times . February 1, 2006 . 



www.sdtimes.com 



Multicore Processors: Exploring Best Practices for 



< continued from page 1 

an old problem: the difficulty of 
designing and coding applica- 
tions that execute multiple 
processes concurrently. 

Dual-core processors don't 



fundamentally change the way 
developers write applications, 
said Margaret Lewis, director of 
commercial ISV marketing at 
Sunnyvale, Calif.-based chip- 
maker AMD. But they further 



enable multithreading — also 
known as concurrent develop- 
ment or parallel programming — 
in which an application sends 
"multiple execution strings to the 
processor," she said. 



Threads within multithread- 
ed applications, which also can 
run on single processors, often 
compete for shared resources 
(such as memory and disk 
space) as well as variables and 
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functions, 
occur, for 
multithreaded application 
locks a resource and fails to 
unlock it once the thread has 
completed its task, said Andy 
Yang, product manager at 
San Francisco-based Coverity, 
which sells a source code ana- 
lyzer, among other tools. "The 
system freezes up." 

Race conditions happen 
when threads compete for the 
same resources and the appli- 
cation fails to specify the order 
in which the threads can 
access those resources. "You 
solve the problem with syn- 
chronization," said Reinders. 
"If the flag is up, don't take 
[the resource]. If the flag is 
down, it's available." 

Detecting either error is 
difficult because collisions 
don't always occur, so pin- 
pointing the problem is a mat- 
ter of timing, said Ken Cowan, 
a product line manager for 
Detroit-based Compuware, 
which sells coding, testing and 
other tools. When QA tests the 
app by hand, the error doesn't 
appear, but it may show up in 
load testing, he said. "With 50 
users, the application fails. 
And it's not clear why." 

Avoiding such errors takes 
skill. "Don't write multithread- 
ed code if you don't know what 
you are doing," said Roger 
Thornton, CTO of Palo Alto, 
Calif.-based Fortify, which 
sells application security tools. 
Because such applications exe- 
cute tasks in parallel, instead 
of sequentially, the developer 
has to understand the princi- 
ples of how a program shares 
resources, he said. Without 
that knowledge, errors are a 
likely outcome. 

THREAD-SAFE 

Java and C# are "thread-safe," 
while older languages such as C 
and C++ must rely on the third- 
party libraries to provide that 
capability. Thread safety is 
important because it reduces 
the risk of collisions, said Thorn- 
ton. "The runtime knows to lock 
your functions, but you still 
need to understand [the concept 
of] threading," he said. Thread- 
safe tools don't shield develop- 
ers from the complexity of 
writing multithreaded apps, 
added Compuware's Cowan. 
"They let programmers who 
don't understand concurrent 
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Building Apps That Take Advantage of Concurrency 



programming [practice] it," he 
said. And that can get them in 
trouble. 

"It's kind of like giving a 
loaded gun to kids," echoed 
Co verity's Yang. "Make sure 
you have the proper experience 
level." 

To avoid trouble, begin by 
addressing concurrency issues 
in the design phase. "You have 
to think about shared data 
between multiple threads" and 
make sure you use synchro- 
nization locks consistently, 
said Cowan, referring to the 
process of locking and unlock- 
ing shared resources in con- 
current applications. "It is 
tricky to implement." 

Designing for concurrency 
is about getting a clear focus on 
how to decompose a problem, 
added Intel's Reinders. "You 
are asking: 'How do I break this 
program up?' " 

The key is to approach 
the application's design the 
same way a group of people 
approaches a task, such as col- 
lecting old Christmas trees and 
chopping them up. The trees 
are collected in parallel; they 
are chopped up in parallel, 
he said. "It's natural to think 
that way." 

FOR MULTI'S SAKE 

The point of multithreading is 
to boost performance. Use it 
to that end, not just for the 
sake of it, said Fortify 's Thorn- 
ton. Developing apps that can 
execute tasks simultaneously 
offers developers a freedom 
that doesn't exist with sequen- 
tial programs. 

"But you have the responsi- 
bility to weigh the trade-offs," 
he said. "Sometimes you may 
go back to the design and find 
you didn't need threading." 

And even when an applica- 
tion calls for concurrency, 
developers must figure out 
how to divvy up the work so 
multiple processors don't have 
to synchronize too often. 

"Two or three operations 
can run in parallel and you get 
performance benefits," said 
AMD's Lewis. "But the next 
level of performance gains is 
harder." The best candidates 
for parallelization are tasks 
that are not heavily inter- 
dependent, such as pulling 
data from a Web server while 
simultaneously updating the 
user interface. "Simple things 



result in the most immediate 
returns." 

As dual-core chips gain cur- 
rency, developers should ana- 
lyze existing applications — 
both multithreaded and 



sequential — to spot opportuni- 
ties for incremental improve- 
ment. (Tools such as Thread 
Checker from Intel and Code- 
Analyst from AMD can help 
pinpoint them.) "Look for 



compute-intensive [opera- 
tions] that process a lot of 
data, such as resizing or 
removing red eye from digital 
photos," said Intel's Reinders. 
Doing that is a matter of re- 



writing a subroutine that lets 
two processors share the job, 
he said. "In the long run, every 
software program out there 
will take advantage of multiple 
processors." I 
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N Software Offers Free AS2 Tool 



BY ALEX HANDY 

When Wal-Mart mandated in 
2003 that many of its suppliers 
retool their information infra- 
structures to support AS2, an 
IETF specification for HTTP- 
based transmittal of purchase 



orders, invoices and trading 
information, many companies 
were pushed against a wall. 

Still an issue three years lat- 
er, N Software in early January 
released the N Software Free 
AS2 Connector, a Windows- 



based tool that allows users to 
connect to a single AS2- 
enabled vendor. 

Gent Hito, president and 
CEO of N Software, said that 
the Wal-Mart directive has 
pushed AS2 into the market as 



the only accepted standard in 
the world of digital trading. "It's 
the only one that has been 
approved by a standards body." 
A draft of AS2, which stands for 
Applicability Statement 2, was 
approved by the Internet Engi- 



>^ 



"Simple to use, powerful, 

fast - awesome. I have 

never written a testimonial 

before, but I felt compelled 

to do so in this case." 



"SQL Compare and SQL Data Compare are 

the best purchases we've made in the 

.NET/SQL environment.. .We rely on these 

products for every deployment." 



Doron Grinstein Technical Director, 
Information Technology, Walt Disney Studios 



Paul Tebbutt Technical Lead Universal Music Group 




Working with SQL Server 2005 

just got a whole lot easier 



SQL Compare 4.0 

$295 



u 



SQL Data Compare 4.0 

$295 




Red Gate's SQL tools are the most talked-about 
tools in the SQL Server space for one simple 
reason: they make your life simpler. 

Now, with our fully re-engineered SQL Server 2005 tools, you can: 
migrate your SS 2000 schemas upstream to SS 2005 
compare and synchronize with embedded CLR objects 
track version changes for all the new database objects 
compare new XML datatypes and examine XML fields 
package up your SS 2005 databases as compressed .exe files 



SQL Packager 4.0 

$390 



I i-L ■• 

lOOIKIt 4.U I i 

$890 Sk 



exploit new datatypes with our command-line toolkit 
to automate all these scheduled tasks and more 



upgraded 



SQL Toolkit 4.0 



5% off 

for purchasers 
quoting SDT 




$990 1 ai 



G 



Visit www.red-gate.com for your 
4-day, fully functional, free trial. 



) 



red-gate' 

KJ software 
ingeniously simple tools 



neering Task Force last year. 

Hito said N Software decided 
to offer a version of its connector 
for free because "from our point 
of view, there are lots of players 
in this space, companies like 
IBM, Sun and Oracle. There 
hasn't been a low entry point 
product up until now I remem- 
ber the case of a small company 
in Michigan who sent one 
invoice a month to Wal-Mart. 
They needed to set up a 
[US]$15,000 system to do that." 

The Free AS2 Connector 
runs on any Windows desktop, 
but will communicate with only a 
single vendor. Hito hopes that 
offering the free version will 
encourage users to upgrade to N 
Softwares multiple-vendor edi- 
tion, which starts at $499. 

Hito also said that companies 
could use the free connector as a 
standard tool for allowing suppli- 
ers to communicate with their 
own central hub of data collec- 
tion. The N Software Free AS2 
Connector is available now from 
www.freeas2.com. I 

SoftLogica 
Updates Load 
Testing Tool 

BY ALEX HANDY 

Beating up your Web applica- 
tions is a fundamental part of 
the testing process. Now, Soft- 
Logica hopes to get in on your 
company's Web beatdown with 
version 4.0 of WAPT, its Web 
site/server/application load, 
stress and performance testing 
tool. WAPT 4.0 is designed to 
be a simple and friendly tool 
that will play well with both 
your testers and your other 
application suites. SoftLogica 
says that WAPT 4.0 is able to 
generate up to 2,000 simultane- 
ous simulated users, provided it 
has a relatively new desktop 
computer (2GHz or faster) at 
its disposal. Behind these tests 
is a simple interface that helps 
users point-and-click their way 
to a finalized load test. Configu- 
ration files generated by these 
mouse clicks are saved in XML, 
and can be modified by external 
applications to modify cookie 
states, user information and 
other important data that can 
be used to further your Web- 
server torturing activities. 

SoftLogica's WAPT 4.0 runs 
on Windows, and costs US$250 
per seat. It is available directly 
from the company's Web site at 
www.loadtestingtool.com. I 



Empowering Application Development Worldwide 



ComponentOne* Studio* Enterprise is the largest most complete 
component toolset for Windows, Web and Mobile application 
development available anywhere and targets all layers of 
application development including Data, Presentation, 
Reporting and Transformation, 



Our latest release, Studio Enterprise 2006 vl, includes 28 products 
engineered exclusively for Microsoft* Visual Studio® 2005 + 

By simplifying the design-time experience, developers can add 
core functionality, improve performance and build more 
robust applications in less time and with fewer lines of code 
than ever before. 



Optimized for 

» * Visual Studio 



NEW Productivity Technology 

S(iH*rtQevigners™' and SnwtFf urn work™ 

NEW Platform Support 

Microsoft <KET Framework 2,0 





NEWSmartDesigneiV" 

Mew visual development 
features including the new 
SmartDesignersallow 
developers to set the 
components' most common 
properties without leaving 
the design surface. 

Integration with 
Visual Studio 2005 

Mew products in teg rate with 
Visual Studio 2005 Windows 

Forms by supporting new 
features including Smart Tags, 
Snap Lines, data binding, GDI+ 

text, and Managed Themes. 
ThenewASRNET2,QWeb 
Forms components fully 
sifpportASP.NET 2.0 features 
including Smart Tags, data 
binding, resourted-based 
scripts and images, and 
ASRNET 2,0 Themes. 



TmeOBGfldfor.NET -i- -i il- 

pBGZEzmmm 



WWW ' l*Hll ■, 








Component One' 



NEW Architecture 

Preview™ to NtTand WetMenus and Wetter for ASRNET 

NEW Products 

AD0.MFT Dd!J Extender" and MaskEdtt'* for Mobile Devices 



Chan for -NET SdMlitttstgite 

V\ I IH 1 1 ■ III III. ^^^^^M 

['■■■*<_ -mm- mm, Ini kmr 1^— h* V. wmmm I l| mm 

\ ., \ - m\ * m , <■ - *•■ > f-T ', *T » 



[TBI 




*l b*M|* 



Studio Enterprise 2006 vi 

1 



A ComponentOne 



TAKE OUR DEVELOPER'S SURVEY AND DOWNLOAD YOUR FREE TRIAL 
FOR A CHANCE TO WIN* A D NOTEBOOK PC 

www.com ponentone.com/sdti mes6000 

* Please visit «ww.c<mp<»eritone.coni/s<lt,iiries6(lO(t for full deliili. 



Studio enterprise 2006 v1 $599.95' Suhscnpixm P«?-renewal • $749.95* Subscription Renewal: Upgrade • $999,95 New Subscription 

SludiD Enlerp * i s* S06 v 1 w ith GdI it Support $779.95* Subscription Pre-<Mie*al • $9295$* Suhic ri|»lciil Renewal /Upgrade - $1,1 79 AS New StltaffiptlM 



*hiJ)Kripli*rt Pir-ttMwd/RMtwtl CriM is for twwiH CofflponetiiDne ^iiflmffi uitfi a van* liana: bey. 
■&19G7-MM CarnpnnEnlflne LL-C. All rights rasernad. Wl product nameocrecw^byth^re^ppctriieirimm. 



.NET * ASP.NET ■ Mobile • ActiveX 



18 



NEWS 



Software Development Times . February 1, 2006 . 



www.sdtimes.com 



AdaCore's GNAT Flies With a New Ul 



BY ANDY PATRIZIO 

AdaCore has updated GNAT 
Programming Studio (GPS), its 
integrated development envi- 
ronment for the Ada program- 
ming language. 

The most notable change in 



GPS 3.1 is its 64-bit support 
for Linux and several Unix 
versions running on Intel Ita- 
nium and AMD and Intel x64 
processors. 

GPS 3.1 also features a UI 
overhaul with a better layout 



of graphical information and a 
more user-friendly location 
view, enhanced tool tips, code 
completion and new project- 
editing capabilities. 

Other new features include 
improved plug-in capabilities 



and Python extensions, refac- 
toring (restructuring code to 
improve design), improved 
assembly view and improved 
version control system sup- 
port. 

GPS itself is written in Ada, 
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Easy to License 



Licensing with ActiveReports for ,MET is straightforward and easy 

to understand. There are no hidden costs, no extra licensing fees 
and no royalties charged for end users. Once you install the 
produce after purchase, you are free to create and deploy your 

reports as needed. 
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ActiveReports makes deploying your reports and end-user 
report ing capabilities easy. The reporting engine is provided as 
a single managed, strongn^med assembly. ActrveReports a flows 
assemblies to be distributed using XCopy or placed in the Global 

Assembly Cache fGACJ. 
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*X* Visual Studlo.net 



and is based on the GtkAda 
toolkit. The IDE has a number 
of code navigation and analysis 
tools, such as call graphs, source 
dependencies, project organiza- 
tion and complexity metrics. 
The UI is customizable, so 
developers can configure the 
interface for the features they 
use the most. The environment 
also supports C and C++. 

GPS 3.1 began shipping in 
December and is available for 
Linux, Unix and Windows. 
Customers should contact 
AdaCore for pricing and con- 
figuration information. 

GPS is sold separately or as 
a part of the GNAT Pro Ada 
Development Environment, a 
complete development suite 
with a visual debugger, a set of 
supplemental libraries and 
bindings, the complete source 
code for the application and a 
support service. I 

Macworld Shows 
FileMaker Tools 

< continued from page 1 

its code as C source, permitting 
further user optimization and 
control. 

Localize Technologies 

lobbied for new customers at a 
kiosk not far from Andescotias. 
The company offers application 
localization services, and was at 
the show to hype its ability to 
translate Mac OS X applications 
to other spoken languages. 

FMNexus released Inspec- 
tor 1.0, a tool designed to ease 
the debugging and troubleshoot- 
ing process for FileMaker devel- 
opers by parsing the XML that 
FileMaker outputs, making the 
process of tracking down data- 
base issues much simpler. 
Inspector 1.0 costs US$399 per 
seat or $2,500 per site. 

WorldSync showed off its 
latest FileMaker tool, Syncdek 
6. The software is designed to 
synchronize FileMaker data- 
bases automatically, keeping 
folks in the field up to date with 
a central database. Syncdek 6 
costs between US$249 and 
$1,999, depending on configu- 
rations and user licenses. 

Finally, .Com Solutions 
showed off FmPro Migrator, a 
tool that converts FileMaker 
databases to and from a multi- 
tude of SQL databases, includ- 
ing DB2, MySQL, Oracle, 
Microsoft Access and SQL Serv- 
er and Sybase. The tool costs 
US$100 per seat and is available 
now for Mac OS X and Windows 
from www.fmpromigrator.com. I 
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Subversion Team Sees Bright Future for Releases 



< continued from page 1 

Price. "It's actually been picking 
up for the last year or two. A 
couple of our recent patches 
have been from India." 

Price believes that part of 
the impetus for the creation of 
Subversion was the desire for 
a couple of features that, 
because of CVS' architecture, 
would have required work- 
arounds. "These were things 
like atomic commits and direc- 
tory versioning," he said, adding 
that not everyone needs those 
features. "I think CVS is still a 
viable tool." 

Price has seen a number of 
new CVS installs in his consul- 
tancy business. "I know from 
my business experience and 
who's calling me in for training 
that there are still people mov- 
ing to CVS. I'm getting more of 
those than I used to. Whether 
that's an upswing in my busi- 
ness or an upswing in CVS in 
general, I couldn't tell you." 

Rooney, though, believes it 
is Subversion that is enjoying 
the biggest upswing, and said 
the Subversion team hopes to 
add in this summer's version 1.4 
the ability to hot-sync multiple 
repositories. 

Subversion's future should be 
expansive, according to Karl 
Fogel, who has been writing 
code for the Subversion project 
since its inception. Now a soft- 
ware collaboration specialist at 
CollabNet, he wrote the code 
that allowed for anonymous CVS 
access. He also co-authored a 
book titled "Open Source Devel- 
opment With CVS." 

"We would like to take on 
problems like merge tracking," 
said Fogel of future work on 
Subversion. "We've put merge 
tracking off for a long time 
because we try to do what our 
users ask for. We discovered a lot 
of our users had needs that 
weren't merge-tracking-related." 

Fogel also said that future 
versions of Subversion should 
include log filtering and prop- 
erty inheritance for directory 
trees within repositories. 

Price, too, is working on 
improvements for CVS, includ- 
ing a major update arriving 
sometime this spring that would 
include PGP-signed commits. 
Price cited a number of recent 
high-profile CVS repository 
hacks — including that of 
Debian's central repositories and 
those of cvshome.org — as rea- 



sons behind the security push. 

"In general, the CVS devel- 
opers beg off of security," said 
Price. "We say, 'Use OpenSSH 
for your transport' or 'Use the 
OS' permissions.' We want you 



to use other people's tools for 
that part of the work. We do pay 
attention and we do fix security 
bugs, but generally we try and 
ask people to minimize the 
potential for damage by leaning 



on other tools." 

Said Rooney: "I think that if 
you're a developer who's already 
used to CVS and generally likes 
it but has some things about it 
that you think are kind of 



annoying, like [that] it takes for- 
ever to tag giant trees when 
you're making a release, we can 
let you keep the same workflow 
you're used to but with a tool 
that's designed in this decade." I 
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A Valentine's Day Gift for .NET Integrators 

Stone Bond's alternative to BizTalk supports C#, .NET 2.0 



BY EDWARD J. CORREIA 

Claiming to offer a faster and 
more capable alternative to 
server, 



Microsoft's BizTalk 



Stone Bond Technologies on 
Feb. 14 is scheduled to release 
Enterprise Enabler Server 
2006, an update to its integra- 



tion server for .NET that the 
Houston-based workflow solu- 
tions developer says now sup- 
ports C# code and the .NET 2.0 



framework, and is less compli- 
cated to install and use than its 
Redmond counterpart. 

"I don't know that there are 



It's amazing 

what you can do with 
the right tool! 
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reliable solutions for your 
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that many .NET-based EAI and 
ETL tools out there," said 
Pamela Szabo, co-founder and 
CIO of Stone Bond. "BizTalk is 
the only other one that we know 
of that's of any significance." 

According to Nikhil Roy, 
program manager for Enter- 
prise Enabler (EE) Server, the 
platform takes a fundamentally 
different approach to integra- 
tion than Microsoft's. "BizTalk 
works by processing messages, 
which have to be in XML for- 
mat," he said. "If you're pulling 
data from SQL Server into a flat 
file [for instance], you're forced 
to turn it to XML and then to a 
flat file." 

Microsoft would not com- 
ment on Stone Bond's claims 
directly, but Pearson Cum- 
mings, Microsoft's communica- 
tions manager for application 
platform and development 
marketing, said BizTalk has 
"been met with broad adoption 
of large and medium-sized 
enterprises" and is currently 
being used to connect disparate 
"business applications, main- 
frames and databases." Since 
the introduction of BizTalk 
Server 2000 in December of 
that year, Microsoft has updat- 
ed the product three times, 
Cummings said. 

A significant enhancement 
in EE Server for version 2006, 
Roy said, is the ability to expose 
processes as Web services. 
"This allows a process to be 
triggered by an external SOAP 
call, thereby abstracting the 
logic and flow of the process of 
the caller," and effectively act as 
a wrapper around legacy appli- 
cations. 

Nikhil claimed that Enter- 
prise Enabler 2006 is built 
completely with managed code. 
"There's no legacy code in 
there. That lets developers 
build applications using Visual 
Basic or C#," the latter of which 
is new to version 2006. 

Enterprise Enabler 2006 
includes a runtime engine for 
Windows servers and a GUI- 
based designer for building 
processes and workflows. Mes- 
saging support includes JMS, 
MSMQ, TIBCO and Web- 
Sphere MQ. The standard edi- 
tion costs US$5,999 per server 
processor and includes several 
integration connectors and can 
handle 10 workflows; an enter- 
prise edition costs $18,999 per 
processor and includes addi- 
tional prebuilt connectors, can 
process unlimited workflows, 
and offers an optional change 
management module. I 
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ChipCon Gets Some Texas Hospitality 

Tl acquisition of ZigBee developer boosts up-and-coming wireless spec 



BY EDWARD J. CORREIA 

With its December acquisition 
of wireless circuit maker Chip- 
Con, Texas Instruments gives 
what one analyst believes is a 
much-needed boost to ZigBee, 
an emerging lightweight wire- 
less communications protocol 
based on the IEEE 802.15.4 
standard. 

"ZigBee is still a long way 
off," said Stuart Carlaw, princi- 
pal analyst with ABI Research, 
a high-tech research firm 
headquartered in Oyster Bay, 
N.Y. "In context, BlueTooth 
was ratified in 1999, but it 
wasn't until 2002 that we start- 
ed seeing large growth. ZigBee 
is just starting to ramp up." 
The spec, developed by a con- 
sortium that now consists of 
about 200 companies, was rati- 
fied in December. 

ZigBee s raison d'etre is its 
ability to communicate at a rel- 
atively high data rate while 
using scant system resources 
and just a trickle of power. 
"There's a need to drive down 
[integrated circuit] prices," said 



Carlaw. "Not for mass media 
devices like MP3 players and 
wireless headsets, but for safety 
lighting, home automation, 
remote meter reading and so 
on. It's more of a convenience 
technology, really." And ZigBee 
is royalty- free. 

"This is a market we are very 
interested in, both in the home 
and factory setting," said Art 
George, vice president of TI's 
high performance linear busi- 
ness unit. "We really needed to 
have resources of our own to 
move forward in this market," 
he explained about the acquisi- 
tion of ChipCon, which had 
previously been a partner. 
"ChipCon is a strong player in 
this market, and there were 
synergies between [the compa- 
nies]. It was a good fit." 

TI paid roughly US$200 
million for ChipCon, which 
employs about 120 people in its 
Oslo, Norway, headquarters 
and San Diego office. "We val- 
ue the talent in both locations 
and plan to add to those teams 
once the deal closes," which he 



THE BUSY ZIGBEE 



What's in a Name? 

The domestic honeybee, a colonial insect, lives in a hive 
that contains a queen, a few male drones and thousands 
of worker bees. The survival, success and future of the 
colony is dependent upon continuous communication of 
vital information among all members of the colony. The 
technique that honeybees use to communicate new- 
found food sources to other members of the colony is 



referred to as the ZigBee Principle. Using this silent but 
powerful communication system, whereby the bee 
dances in a zigzag pattern, she is able to share informa- 
tion such as the location, distance and direction of a 
newly discovered food source to her fellow colony mem- 
bers. Instinctively implementing the ZigBee Principle, 
bees around the world industriously sustain productive 
hives and foster future generations of colony members. 
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said was expected by the end of 
January. 

Carlaw agreed that the move 
was important for TI because it 
gives the company an instant 
presence in a growing segment 
of the market. "TI as an organi- 
zation has a large presence in a 



number of communications; 
their Bluetooth and wireless 
LAN offerings are fairly well 
established. ZigBee is comple- 
mentary, it doesn't conflict, it 
has heavy names behind it, and 
uptake will be steady." 

George said that for prod- 



ucts already in development, 
nothing will change as a result 
of the acquisition. "Longer 
term, things that will evolve 
might be SoC solutions with 
ChipCon [technologies] and our 
microprocessors and some opti- 
mized multichip solutions." I 
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Secure Wind River RTOS Could Protect Workstations 



BY EDWARD J. CORREIA 

VxWorks on the desktop? 
Maybe. Wind River in mid-Jan- 
uary released a version of its 
VxWorks real-time operating 
system that complies with Mul- 
tiple Independent Levels of 
Security, a specification it devel- 
oped as part of a consortium 
that includes the National Secu- 
rity Agency, United States Air 
Force Research Laboratory and 
several military contractors and 
embedded software developers. 

The company hinted at a 
VxWorks-powered workstation 
some time in the future. 

Multiple Independent Lev- 
els of Security (MILS) defines 
systems in terms of information 
flow, data isolation, periods pro- 
cessing and damage limitation. 
MILS is designed to permit 
access to applications or data at 
various levels of security from a 
single device or workstation. 
The Wind River implementa- 
tion complies with the FAAs 
DO-178B level 1 guidelines for 
developing secure software. 

Chip Downing, Wind River s 
industry marketing manager for 
aerospace and defense, said 
that while the technology was 
developed with those industries 
in mind, it has applications any 
place where it's helpful to 
reduce the number of devices 
or workstations being deployed 
for secure data access. "We're 
all hampered by security prob- 
lems, whether you're a bottling 
company or weapons company. 
This is a great concern." 

Access systems right now 
consist of workstations — both 
secure and insecure — and 
devices that are sending data 
into those workstations for view- 
ing, Downing said. Depending 
on the security rating of the 
data, companies often deploy 
dedicated workstations for each 
security level. 

"Now from the same work- 
station or device you'll be able 
to view secure and nonsecure 
data from a wide variety of 
secure devices without compro- 
mising the security of that 
channel," he said. "That's the 
next step. Once you have the 
secure foundation, you can run 
Windows or Linux," he added. 

GRIST FOR THE MILS 

Downing pointed out that such 
a solution is not yet a reality 
for Wind River customers. 
"VxWorks is fully capable of 
doing that at this time and with 



our Linux product, but we're 
not announcing that today. Oth- 
er [companies] have created a 
workstation environment from 
a secure RTOS." 

Two such companies are 
LynuxWorks and Green Hills. 



But what sets Wind River's solu- 
tion apart, Downing claimed, is 
what he called a qualified XML 
compiler, which can configure 
the kernel and its operations 
and security policies under par- 
titions without having to gener- 



ate a new kernel. He said it's a 
host-based tool for Ada, C or 
C + + that can configure security 
policies, communications with 
other partitions, fail/restart/dis- 
card properties of an applica- 
tion and how much execution 



time it gets. "It's one of the most 
interesting uses of XML on the 
planet and differentiates us 
from competitors. It makes [a 
system] maintainable and 
usable because you don't have 
to touch the kernel." I 
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BY REX BLACK 



As more businesses and con- 
sumers place their assets or per- 
sonal information on the Inter- 
net, developing secure software 
is no longer simply desirable — it's com- 
pletely essential. 

Some developers might assume that 
most security problems arise from the 
operating system or networking layers, 
well below the application code they are 
working on. However, recent figures for 
Web-based applications show that more 
than three-quarters of security exploits 
arose from applications. 

So, you know you need secure code, 
but how do you get there? What are the 
security risks? What security failures and 
bugs do we have? What do these securi- 
ty risks, failures and bugs mean? How 
can I reduce security risk in a way that 
doesn't create new problems? How do I 
monitor my progress over time? Here 





are seven steps that will allow you to 
answer these and other questions as you 
improve your software's security. 



STEP 1: 
ASSESS THE RISKS 



Applications tend to have characteristic 
security risks. These risks often arise from 
the implementation technology. For 
example, C and C++ are notorious for 
their lack of inherent array range check- 
ing, and consequent buffer-overflow bugs, 
which allow hackers to insert malicious 
code into very long input strings. People 
writing applications with databases have 
to worry about SQL injection, where 
hackers put queries into otherwise benign 
fields and gain access to sensitive data. 

Security risks also can arise from the 
business application domain. For exam- 




ple, since they deal in money, banking 
applications are attractive targets for 
criminals and a major source of worry 
for bank IT departments. Applications 
that store personal information, such as 
medical history, are subject to regula- 
tions like HIPAA that require strict pri- 
vacy controls. 

Risk awareness is the first step in risk 
reduction. Companies have been reluc- 
tant to let outsiders know about the 
security failures they've had, but some of 
their failures make the news, and users 
report others. For example, the Open 
Web Application Security Project 
(www.owasp.org) provides good infor- 
mation for those developing Web appli- 
cations, as does the World Wide Web 
Consortium's security page (www 
.w3.org/Security). Carnegie Mellon's 
Software Engineering Institute's CERT 
Coordination Center (www.CERT.org) 




provides a broader look at computer 
security issues. Last but not least, check 
out the searchable Risk Digest archives, 
(catless.ncl.ac.uk/Risks) for great anec- 
dotes and commentary on software risks, 
including security-related risks. 

In addition to being aware of the fail- 
ures, you need to be aware of the under- 
lying bugs themselves. Depending on 
the kind of applications you're writing, 
you'll want to read appropriate books 
and Web sites for hints on common inse- 
cure coding constructs and how to avoid 
them. For example, entering "secure 
programming" in the Amazon.com 
search engine yields dozens of books, 
some general, some quite specific. 

Once you are aware of the kinds of 
security risks that could affect your soft- 
ware, do a security risk analysis. Identify 
the specific risk items that you should be 
aware of. Meet with stakeholders to 
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determine the level of risk in terms of 
likelihood and impact. Likelihood relates 
to the chances of any given risk becom- 
ing an actual security bug in your soft- 
ware. Impact relates to the effect on cus- 
tomers, users and your software should 
the bug be exploited. Your analysis of the 
risks and their associated levels of impact 
will allow you to create a prioritized list 
of potential security failures. 



STEP 2: 

TEST TO KNOW 

WHERE YOU STAND 



Many software development organiza- 
tions don't have the luxury of starting over 
with new code on every project, but also 
have not had a chance to check existing 
code for security problems. Doing a secu- 
rity test on that code is critical. 



This type of test is often called a pen- 
etration test. Its purpose, as the name 
suggests, is to discover ways in which 
hackers and other unauthorized users 
can penetrate your system. Such a test is 
useful to check for security failures that 
your application already presents to the 
real world. 

Remember that the best lock in the 
world does no good if it's installed in a 
door made of rotten wood. Similarly, 
applications with great security features 
that users install in insecurely config- 
ured environments can be hacked. 

Do your installation procedures, user 
documentation, provisioning processes 
and notification mechanisms support or 
impede security? I recently signed up 
for an account on an e-commerce site 
that seemed to have good security at 
first. I was asked to create a user name 
and password. The application enabled 



SSL encryption during this process. The 
input field masked the password when I 
entered it. I was then told that the appli- 
cation would e-mail me an activation 
notice after it verified my information. 
When I received the activation notice, 
the user name and password were in the 
e-mail, unencrypted and available to 
anyone who saw or intercepted that 
e-mail! Private and identifying informa- 
tion should not be stored or transmitted 
in an insecure fashion. 

Consider identifying risk cases for 
each security requirement. Risk cases 
are like use cases — though perhaps 
more properly termed "misuse cases" — 
that lay out various scenarios of security 
failure. If you think about end-to-end 
processes that users go through, along 
with the environments in which your 
software will be deployed, you may think 
of some possible failure issues you oth- 



erwise would have missed. You can con- 
firm the presence or absence of these 
failures through specific tests. 

Thoroughly testing applications that 
will run in various installed environ- 
ments can be a real challenge. Such tests 
are a combination of end-to-end process 
testing, compatibility testing and pene- 
tration testing. Depending on the multi- 
plicity of environments, users and proce- 
dures that your application can support, 
such tests cost a lot of money in terms of 
systems and effort. To save money on 
setting up a large variety of test configu- 
rations in-house, consider using an out- 
side testing service. 

Your prioritized list of risks should 
guide the penetration test, but you 
should also test for other failures that 
you might not have thought of. Based 
on the failures you find, revise your list 
► continued on page 28 
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< continued from page 27 

of risks. Add new risks where 
you find unexpected failures. 
Increase the likelihood and 
impact based on the failures 
you find. You might also 



decrease the likelihood and 
impact for risks that don't 
relate to observed failures, or 
relate to failures that were less 
important than you expected. 
However, be careful about 



assuming that a risk that isn't 
exploitable today won't be 
exploitable in future releases 
of the software. 

Keep a list of the security 
problems you find and where 



you found them. You'll need 
this list to fix the problems, of 
course. However, I also recom- 
mend that you classify the 
problems in a few ways. One 
classification is based on the 
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type of security flaw. Another is 
the date on which the code was 
written or the version of the 
software in which it was intro- 
duced. Yet another is the major 
subsystem or component the 
code is part of. In addition, clas- 
sify the severity (impact on the 
system) and priority (impact on 
the user) of each failure. Final- 
ly, classify each problem based 
on the security risks you identi- 
fied earlier. 



STEP 3: 
ANALYZE TO KNOW 
WHERE Y00 STAND 



The security test mentioned 
above will find security-related 
failures. However, not every 
security bug in the code will 
always exhibit a security fail- 
ure. In other words, it is possi- 
ble to have underlying bugs 
that did not exhibit any symp- 
toms during the penetration 
test. Therefore, to find addi- 
tional problems, do a static 
analysis of the code. 

Static analysis means going 
through your code to look for 
bugs that could cause failures. 
You might have input fields that 
are not appropriately checked 
for size or syntax before being 
handed off for processing. You 
may have weak error handling. 
You may have situations where 
unauthorized users can pass 
snippets of languages like SQL 
or Korn shell into the system 
where they would be executed. 
Just because these bugs didn't 
result in failures doesn't mean 
they aren't bugs, and you 
should look for them. 

You can automate your static 
analysis using tools. For a large, 
existing codebase, these tools 
will identify a large number of 
problems. Not all of these prob- 
lems are of the same severity 
and importance. Somehow, 
you'll need to focus your atten- 
tion on the most important of 
them. Fortunately, good tools 
will allow you to turn on and off 
particular rules and tune your 
static analysis at a level of gran- 
ularity as fine as individual lines 
of code. Again, your list of risks 
can help guide you as you 
determine where to focus. 

Based on your static analy- 
sis, add to your list of security 
problems, where you found 
each problem, and its classifi- 
cation. 
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Reducing Security Risk in Software You Ruild 



STEP 4: 

EVALUATE TO UNDERSTAND 

WHERE YOU STAND 



You've gathered a lot of data in the first 
few steps. Time to evaluate that data. 
What does the data mean — i.e., what 
information and patterns are hiding in 
the data? What is a smart plan of action 
for improving software security? 

First of all, sort the problem list by 
priority and severity. You will likely 
want to immediately fix the problems 
with the highest levels of priority and 
severity. Microsoft famously reached 
a point where the number of critical 
security bugs became so high that it 
embarked on a crash program to 
resolve these bugs. For months, 
Microsoft programmers did nothing 
but address security bugs. You might 
not be in as deep a hole — or be able 
to spare that much effort — but you'll 
want to address the urgent items 
right away. 

However, you should also do some 
further evaluation before venturing into 
battle with the security bugs. Bugs do 
not tend to be evenly distributed across 
the codebase, but rather to exist in clus- 
ters. Decades ago, IBM studied its MVS 
software and found that 38 percent of 
the bugs that caused problems in pro- 
duction lived in 4 percent of the mod- 
ules. On a recent Internet appliance 
project, I found that 69 percent of the 
bugs we discovered during testing lived 
in 25 percent of the modules. By look- 
ing for modules with particularly high 
numbers of security bugs, you might 
find that completely refactoring one or 
two modules is the smartest way to 
improve your software's security. 

As you start to think about the long- 
term, evaluate how many bugs arise 
from each kind of security flaw. This 
will tell you which are the most typical 
problems you and your team face. Can 
you reduce the incidence of such 
problems through training for your 
programmers? Better code reviews? 
Better design reviews? All three? After 
all, you don't want to be fighting a con- 
stant battle against security problems 
with every release, so you and your 
team need to learn how to create bet- 
ter software. 

You should also evaluate the inci- 
dence of security bugs based on the 
age of the code in which they were 
found. Software tends to "wear out" 
over the years, not as physical devices 
do, but rather through ongoing mainte- 
nance that reduces the quality of the 
code. In addition, older code that was 
written when a programming language 
was new — or when the team was new 
to the language or technology — might 
contain more bugs. Plan for long-term 
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refactoring of decrepit modules that 
are disproportionate contributors to 
software insecurity. 



STEP 5: 

REPAIR THE 

PR0R1EMS— CAREFULLY 



Any time you repair a bug in software, 
you take a risk that you might introduce 
a new bug. Many people call these 
regression bugs, because they represent 
some reduction in the level of software 
quality that was present before. 

The risk of regression bugs applies 
to security bugs as much as any other 
bug. In addition, you can't assume that 
repairing a security bug will necessari- 
ly introduce either no bug at all or 
another security bug. Fixing a security 
bug might introduce a functionality 
bug. So, as you repair the security 
bugs, make sure you have a plan to deal 
with regression risk. 

How can you do so? A professional, 
independent test team typically deals 
with part of the regression problem. 
They might have created an automated 
suite of regression tests for functionality, 
performance, reliability or other impor- 
tant quality characteristics. However, 
waiting for the end-stage testing is not 
ideal, as the cost and schedule implica- 
tions of dealing with a bug increase the 
longer that bug is in the system. 

Instead, use code reviews, static 
analysis and automated unit tests to 
help manage regression risk for each 
change you make to the system. Code 
reviews, ideally performed by at least 
two experts in addition to the author, 
should help catch many problems. 
Using the static analysis tool you've 
already invested in to check your new 
code is a best practice, and good static 
analysis tools can find many types of 
problems, not just security problems. 
Finally, the use of an automated unit 



testing harness — for example, JUnit if 
you prefer open source, or Parasoft's 
Jtest if you prefer a commercial tool — 
will provide a framework for an auto- 
mated set of tests that will allow you to 
modify and refactor your code with 
confidence. 



STEP 6: 

EXAMINE RESULTS IN THE 

REAL WORLD 



Any time you make a process change, 
you should monitor how those process 
changes affect the real world. For exam- 
ple, I'm currently training for a 
marathon, but I hurt my ankle by over- 
training in hills. So, I switched to a train- 
ing schedule that focuses on low-impact 
aerobic exercises like bicycling and ellip- 
tical machines while my ankle heals. Will 
this process change help me achieve suc- 
cess? Two real-world measures apply: 

• Based on the symptoms in my ankle, is 
it healing while continuing this train- 
ing regimen, and can I gradually rein- 
troduce running to the training? 

• Will I actually be able to run the 
marathon without pain and without 
reinjuring myself? 

Similarly, you want to make sure that 
your new development process reduces 
the number of known security bugs in 
your code over time, and that the num- 
ber of security-related incidents that 
occur in the field gradually goes down. 

You should not expect that these two 
numbers would go down monotonically 
Some natural variation in the testing and 
development processes will mean the 
number of known bugs might go both up 
and down. However, the trend over the 
long term (say, one year or more) should 
be that the average number of known 
security bugs in any given month has 
gone down. 

Similarly, you might have good 
months and bad months — months when 



no field security incidents are reported 
and months when a rash of them are — 
but this might simply be natural varia- 
tion in usage patterns or seasonal usage. 
For example, you would expect that 
financial application security bugs relat- 
ed to fiscal-year closing operations 
would increase at the end of the year. 
However, again, the trend over the long 
term should be that the average number 
of security incidents in any given month 
has gone down. 

In addition to monitoring your own 
security bugs and failures, follow the 
news. The Internet and trade magazines 
can help you check for problems in 
applications similar to yours in business 
domain, implementation technology or 
both. If you hear stories about problems 
that you think might constitute a risk for 
your application, update your risk analy- 
sis and re-evaluate accordingly. 



STEP 7: 

INSTITUTIONALIZE 

SUCCESS 



The last step of this process is to do 
everything all over again, on every single 
project. That's something of an over- 
statement, since you don't need to start 
from a clean slate. You will need to 
repeat the first six steps, though, using 
your existing work as a baseline: 

• Reassess security risks. 

• Retest the application for security 
failures. 

• Reanalyze the software for security 
bugs. 

• Re-evaluate patterns in security risks, 
failures and bugs. 

• Repair with care. 

• Re-examine the real-world results. 

In each of these steps, make sure you 
look both at new concerns related to 
changes to your applications and con- 
cerns you might have previously over- 
looked. 

Institutionalizing success, the final 
step of most process improvements, is 
very easy to overlook. After a big push to 
improve software security, you might be 
tempted to celebrate success, relax your 
guard and gradually slip back into old 
practices of coding. I 

Rex Black is president of RBCS (www 
.rexblackconsulting.com), an interna- 
tional consulting company focused on 
many areas of quality and testing, 
including functional, security and per- 
formance. He is also CTO of Pure Test- 
ing (www.puretesting.com). Black's best 
seller, "Managing the Testing Process," 
has reached more than 22,000 readers 
on six continents. He thanks his col- 
leagues at Pure Testing, including Hari- 
nath Pudipeddi, for their contributions 
to this article. 
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EDITORIAL 

The Core Issue 

To many developers, the advent of multicore proces- 
sors may not seem of tremendous importance. Multi- 
core designs help chipmakers improve performance along 
the lines of Moore's Law: Engineering attempts to boost 
chip throughput by improving clock speed or increasing 
bus size are beginning to see diminishing returns, espe- 
cially when heat and power consumption are factored into 
the equation. Adding multiple cores into a processor pro- 
vides another vector for single-chip evolutions of technol- 
ogy, and is proving to be successful. 

For many users, the move toward multicore designs 
will be nearly invisible: You pay a little bit more for a dual- 
core computer, but it runs faster. 

For enterprise developers and software companies that 
are used to programming for symmetric multiprocessor 
systems, such as enterprise servers or technical worksta- 
tions, supporting dual-core designs, such as the AMD 
Opteron, Intel Xeon or Sun UltraSparc IV, is a matter of 
continuing existing practices for efficient threading of 
program code. For someone developing server applica- 
tions, there's little or no difference between developing 
apps for a four-processor, single-core server and a dual- 
processor, dual-core server. 

The biggest learning curve will be for programming 
teams that target consumer and business desktops. Until 
now, nearly all such platforms used one single-core 
processor. That meant that thread management was han- 
dled in software, not in hardware. While multithreaded 
applications would be slightly more efficient in a multi- 
tasking environment, the benefits of threaded designs 
were rarely emphasized by architects. Deadlocks and race 
conditions could be managed by the operating system. In 
short, programmers didn't have to think about it. 

That's changing, thanks to chips like AMD's Athlon X2 
and Intel's newly announced Centrino Duo chips. Those 
processors are finding their way into ordinary desktops 
and notebook PCs. For the first time, developers target- 
ing desktops and consumers will have to deal with the 
multicore programming. If they don't, the best-case result 
is that their applications will fail to take advantage of the 
new hardware's potential. The worst-case results could be 
execution failures and crashes. 

Chipmakers and computer manufacturers haven't 
emphasized the need for threading and the use of tools 
and techniques that could detect potential race and dead- 
lock problems with desktop applications running on mul- 
ticore or multiprocessor desktop and notebook PCs. 
That's understandable: These companies are trying to 
persuade consumers and IT departments that dual-core 
designs are a seamless upgrade from traditional designs. 
For the most part, they're right: This hardware technolo- 
gy is an excellent move forward. 

However, we urge desktop developers, including 
enterprise programmers and ISVs, to learn more about 
threading, and for testers and QA departments to add the 
appropriate diagnostics. ISVs should also report that their 
applications have been tested to work properly in a mul- 
tiprocessor environment. It would be a shame if con- 
sumers' first experiences with this new technology ended 
in deadlock. Server developers have long known about 
these issues; it's time for the greater number of desktop 
developers to know about it as well. I 



Visual Studio 2005: Is It Done Yet? 



In late December, a tile 
i 



file 
appeared on Microsoft 
Downloads offering a first 
glance at Orcas, the next gener- 
ation of Visual Studio. If we can 
be guided by the timeline of 
Visual Studio 2005, which had 
its first public preview in Sep- 
tember 2003 and shipped 26 
months later, Orcas might be 
expected to ship in the first 
quarter of 2008. So, with .NET 
2.0 and the recently released 
Visual Studio 2005 and Visual 
Studio Team System and a few 
service packs, the next few 
years of Microsoft's develop- 
ment system are in pretty clear 
focus. Let's take a look. 

The biggest, clearest winner 
of the Whidbey generation of 
products is ASP.NET 2.0. To 
me, this is head-and-shoulders 
the best platform for Web 
development. Sure, there's a lot 
of buzz about AJAX and Ruby 
on Rails, and there's a lot to 
justify the interest, but when it 
comes down to it, ASP.NET 2.0 
is going to be the right choice 
95 percent of the time, it's 



going to be a very close call for 
a remaining 4 percent, and if 
you're in the 1 percent of devel- 
opment teams that has the 
wherewithal to develop your 
system in JavaScript or Ruby, 
you probably already have 
made your choice. As for PHP 
or Struts-based Java develop- 
ment, ASP.NET 2.0 blows them 
away (to be fair, I've 
not yet looked at 
Shale or Struts Ti). 

It's harder to rec- 
ommend immediate- 
ly jumping to the 
other infrastructure 
technologies, such as 
SQL Server 2005 
and the new technol- 
ogy portions of Visual 
Studio Team System, 
since a single incompatibility or 
deployment snafu could create 
huge headaches, if not an out- 
right disaster. 

From my perspective as a 
developer, SQL Server 2005 
looks like a great product, but 
I always defer to the database 
administrator on database 



choice. Most SD Times readers 
will have existing alternatives for 
most of the infrastructure com- 
ponents in Team System — con- 
figuration management, defect 
tracking and management, unit- 
testing, build tools, etc. 

For Team System to really 
outshine the alternatives, you 
have to embrace an infrastruc- 
ture that includes 
Exchange, Share- 
Point, Office (espe- 
cially Project and 
Outlook) and Visual 
Studio Team Server. 
Of these compo- 
nents, my biggest 
problem by far is 
with Project, which 
does a terrible job 
of modeling and 
tracking iterative development. 
Whoever is responsible for Pro- 
ject's template for software 
development ought to be tried 
for crimes against the industry. 
Even without that horrible 
framework, Project is abysmal 
for dealing with programming's 
cyclical fan-out and fan-in of 
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JAVA'S NOT TO BLAME 

Following are some comments 
on Mike Prest's "Runtime 
Issues," a letter to the editor in 
the Jan. 1 issue of SD Times 
[page 27]: 

Paragraph 1 - Mike, Java is 
backward compatible unless it 
was written specifically for Java 
1.1 or Microsoft's Java (or any 
version after). The problem lies 
with the developers, not Java. 
So if it doesn't work, it is the 
developer's fault. There is a UI 
toolkit that will work with all 
JVMs back to 1.1 (Nexaweb). 

Paragraph 2 - Mike, seeing 
that you had problems/ques- 
tions in the previous paragraph, 
it doesn't surprise me that you 
have issues with stacktraces and 
Java application servers. Again, 
the problem here is not Java. 
CF on Java? There are bound 
to be issues. Logs? Those come 
from the app server, not Java. 
Pick another vendor for your 
app server. If you can't (if CF 
won't let you), then get a differ- 
ent UI tool. You also probably 

Letters to SD Times should include the 
writer's name, company affiliation and 
contact information. Letters become the 
property of BZ Media and may be edited. 
Send to feedback@bzmedia.com. 



should find an experienced and 
knowledgeable developer to 
help you out. 

Paragraph 3 - Yes, Java has 
many names. Some are useful, 
and some are not. Things like 
this happen when you have a 
large product, and a large com- 
pany and a marketing depart- 
ment. Anyone who is actively 
involved with Java will have no 
problem, though. 

Paragraph 4 - Mike, the 
reality is that computers and 
software development are not 
easy. When computers (and 
software) run, they are great. 
When they don't, they are 
major pains. As for "easy to 
port," Java doesn't need to be 
ported. That is one of the 
great things about Java — it is 
portable. Mind you, it doesn't 
prevent you from making it not 
portable. Many of us develop 
on one OS and deploy to one 
or more other OSes. 

Mike, Java is not perfect, but 
nothing is. I've used and still 
use other programming lan- 
guages/platforms. They have 
their own pains and many times 
are worse. 

Mark Nuttall 

Winston-Salem, N.C. 



DEFENDING SUBVERSION 

In his opinion piece ["Why Com- 
mercial SCM Tools Are Better 
Than Open-Source Tools," Dec. 
15, page 32], AccuRev CTO 
Damon Poole makes various 
false or misleading claims about 
Subversion, and about open- 
source software in general. He 
also implies that only proprietary 
SCM systems are worthy of seri- 
ous consideration. 

Given that his company 
competes directly against open- 
source systems such as Subver- 
sion, it's understandable that 
he'd want his readers to think 
this, but it is a disservice to 
those who simply want the best 
solution to their change man- 
agement problems. 

Poole states that the Subver- 
sion project has "accomplished 
only the first two of their four 
goals, atomic transactions and 
fast branching." Our goals, 
which number far more than 
four, have been listed promi- 
nently on our home page 
(subversion.tigris.org) since the 
project started. Furthermore, 
we accomplished the goals that 
we targeted for our 1.0 release 
in 2004, have made three new 
feature releases since then, and 
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fine-grained, highly interde- 
pendent work items, whose rate 
of production varies by an order 
of magnitude depending upon 
who is assigned to develop 
them. Team Server tries to shift 
this type of thing from Projects 
Gantt charts to its own tracking 
system, which is an appealing 
step in the right direction. 

I'm still evaluating the com- 
plete "Microsoft stack" of server 
technologies for software devel- 
opment and the software devel- 
opment life cycle tools, but I 
have already been struck by 
something that I think is very 
important to Microsoft's compet- 
itive position. I hate to use a 
buzzword, but I view the "collab- 
oration" between Microsoft's 
products as the key differentiator 
between Microsoft technologies 
and competitors. Not the collab- 
oration of users, but the collabo- 
ration of tools. 

While "integrated" tools are 
now part of virtually all profes- 
sional development (especially 
with Visual Studio and Eclipse 
creating a binary star system that 
threatens to absorb all alterna- 
tives), it's not that Microsoft 
tools combine, say, the visual 
designer and the compiler and 



the debugger within a single 
environment, but that different 
Microsoft tools "know about" 
each other. A small example is 
the use of Outlook's forms capa- 
bilities so that task status flows 
in and out of the project data- 
base. A much bigger example 
is the collaboration between 
the Orcas-based Cider visual 
designer, geared for program- 
mers, and the Sparkle tool that 
targets artists — but a discussion 
of those tools will have to wait 
for another day. 

It's sobering to realize that 
Visual Studio 2005 will carry us 
fully into the multicore, 64-bit 
era. Not a single Microsoft lan- 
guage is inherently paralleliz- 
able, although C++ installs an 
implementation of OpenMP and 
ADO.NET 2.0 now supports the 
CLR's asynchronous program- 
ming model. (You can quibble 
with my premise that we'll all 
have multicore desktops in three 
years, but servers? Heck, yeah.) 

This is only one of the reasons 
why I think C++/CLI is the most 
interesting of the Whidbey gen- 
eration's languages. Reference 
handles as first-class language 
constructs, improved perfor- 
mance and interoperability, and 



safer libraries also are com- 
pelling. I had hoped that Iron- 
Python would be integrated into 
the VS 2005 environment to 
bring shells/workspaces/REPL 
to prominence, but it missed the 
release (although an initial ver- 
sion is available in the December 
CTP of the Visual Studio SDK). 

Visual Basic 2005 (as it's 
named in the "About" box) 
aims to re-establish trust with 
those who resisted VB.NET 
The "My" namespace, the 
return of edit-and-continue 
(also available for C#, although 
frankly, I find it more frustrat- 
ing than helpful) and the sur- 
prisingly powerful "snippets" 
capability all seem like good 
ideas, but I actually thought 
VB.NET was great, so I may 
not be the best judge on that 
community's reaction. 

C# 2.0 is most notable for 
being "first among equals" of 
the CLR's languages. The 
large majority of discussions 
about the Base Class Library, 
generics, delegates and even 
lightweight code generation 
use C# as the lingua franca. I'd 
be remiss if I didn't applaud 
the standardization of C# by 
Ecma and the excellent Mono 



project, on which some of the 
most compelling .NET-based 
graphical applications have 
been built. 

Finally, the IDE itself is 
more resource-intensive than 
ever before, and while I've not 
personally had troubles with its 
stability, there are reproducible 
defects that are just embarrass- 
ing (Microsoft MVP Frans 
Bouma discovered a generics- 
parsing issue, and if you try to 
do a "rename" refactor in Visu- 
al Basic and you have a call 
to "oStringn on a bit-shifted 
value, the IDE crashes). I think 
this is more symptomatic of the 
rise of blogs and Microsoft's 
increased transparency than the 
inherent quality of the IDE, 
but the schedule resets of the 
past two years have not inspired 
confidence. 

Microsoft has said that it 
plans to release the first Service 
Pack for Visual Studio 2005 in 
"the first half of 2006." Hitting 
that schedule would be a nice 
reassurance. I 

Larry O'Brien is a tech- 
nology consultant, analyst and 
writer Read his hlog at www 
.knowina.net. 



are currently working on some 
of the very capabilities he 
claims we're ignoring. Again, 
this is all being done publicly 
and openly; on our mailing lists 
we regularly answer questions 
about features currently under 
development. 

He also seems to underesti- 
mate the amount of commercial 
investment made in Subversion 
development. CollabNet (dis- 
claimer: my employer) started 
the project in 2000, and has 
funded it consistently for six 
years, as of this writing, by 
employing several full-time 
developers, subsidizing QA and 
some requirements elicitation 
research, and providing hosting 
and infrastructure support. 
While we do not in principle 
agree with Poole's claims about 
the link between funding and 
innovation, in this case he does 
not do justice to the amount of 
funding anyway. 

Later, he uses dollars spent 
in 1994 versus 2004 to mea- 
sure the increase in popularity 
of commercial SCM systems. 
This is spurious because the 
software industry itself has 
grown so much during that 
time; worse, it is conveniently 
incommensurate with growth 
in open-source adoption, since 
open-source software doesn't 



What's Hindering Your Efforts 
To Deploy Field Service Apps? 



DATA WATCH 



The high cost of mobile hardware and software was 
cited as the leading obstacle to deployment of mobile 
solutions for service workers, according to a study 
published in December 2005 by Aberdeen Group. 

Aberdeen in mid-2005 assessed the strategies and 
technologies deployed by about 40 small, medium and 
large enterprises in a variety of industry sectors. 

Costs aside, the study found that complexities 
involved with the customization of enterprise solu- 



tions for mobile devices and field workers— and the 
integration of those apps with enterprise back-end 
systems— were the most daunting challenges. Near- 
ly as many also said that infrastructure and person- 
nel were inadeguate to deploy and support the tech- 
nology and expressed concerns for security of data 
when deployed wirelessly. 
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have license fees. Yet we know 
that open-source adoption has 
been extremely robust during 
that decade. Why doesn't 
Poole attempt a relative com- 
parison, instead of uselessly 
comparing proprietary SCM 



tools against themselves? 

There isn't space here to 
address all of Poole's claims, 
but at subversion.tigris.org 
/poole-response.html, we've 
posted a more detailed re- 
sponse, and hope that readers 



who saw Poole's original piece 
will also see our reply. 
Karl Fogel 

Software Collaboration 
Specialist, CollabNet 
Developer, Subversion 
Project 
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The Next Big Thing 



Unless you've been living under a 
rock, you're probably aware that 
AJAX seems to be the next big thing. 
AJAX is not really a technology at all, 
however — it's a technique. I've been 
using it in my most recent project, and 
here are my experiences. 

The basic premise of AJAX is to move 
all the presentation-layer code from the 
server to the browser. The server pre- 
sents two types of information to the 
browser: generic Web pages that contain 
no data and data streams that contain 
the information displayed on these 
pages. That is, instead of creating cus- 
tom Web pages, the server produces 
custom data sets for stock Web pages. 
The data can be sent using XML, but in 
the application that I'm building, I've 
found that it's not worth the trouble. I'm 
just sending comma-separated lists. 

At the heart of AJAX is a single 
JavaScript function call: xmlHttpRequesti i. 
In spite of the name, this is not an XML- 
related function at all. It simply issues an 
HTTP GET or POST, and returns the 
data returned by the browser. On the 
server side, these requests are handled 
by standard servlets running under 
Tomcat. (The Web pages that contain 
the XmlHttpRequest call are served by 
Apache, and there's no need to connect 



Apache and Tomcat with ModJK since 
Tomcat isn't actually serving Web 
pages — it's just creating data streams. 
Tomcat and Apache can be running on 
separate machines.) 

Since it's JavaScript, you can't just call 
XmlHttpRequest, though. The function's 
behavior is browser-dependent. Fortu- 
nately, you can create a func- 
tion that wraps the hideous 
garbage needed to make the 
function call work. 

I found a few useful 
descriptions of how to make 
XmlHttpRequest actually work at 
developer.apple.com/internet 
/webcontent/xmlhttpreq.html, 
jibbering.eom/2002/4/http 
request.html, www.omnytex 
.com/articles/xhrstruts (which 
describe how to use an XmlHttpRequest 
with Struts), and www.xml.com/lpt/a 
/2005/02/09/xml-http-request.html. There's 
also a really useful set of detailed AJAX 
examples at www.clearnova.com/ajax. 

In my application, all I was doing with 
AJAX was flowing different chunks of 
HTML into a <div> element based on 
user input. Since this is pretty basic 
JavaScript programming, which I already 
knew how to do, just figuring out how to 
make the XmlHttpRequest call was all that 




I needed. The servlets that responded to 
the request were trivial to write. 

The hype behind AJAX is that it pro- 
vides you with a way to build browser- 
hosted user interfaces that are as respon- 
sive as client- side user interfaces. The 
responsiveness of the UI is really all just 
JavaScript programming, however. Mas- 
sive amounts of it. AJAX gives 
you nothing but a way to 
update part of a Web page 
without reserving the whole 
thing. You can trap a user's 
characters as they're typed, for 
example, send the characters 
to the server as part of an 
HTTP request, and print error 
messages (or reject the input) 
based on the response. This is 
an awful lot of work to do on a 
one-character-at-a-time basis, however, 
which brings us to the dark underbelly of 
AJAX: It's often not a particularly efficient 
use of the HTTP protocol, and getting 
things to work typically involves mondo 
JavaScript programming. 

I, personally, think that the people who 
invented JavaScript and then decided to 
implement it differently in every browser 
are going to end up in the eighth circle of 
Hell along with the other "Sowers of Dis- 
cord and Schism." It certainly feels like 



hell to program the stuff. FireFox, at 
least, has an acceptable source-level 
debugger for JavaScript (www.mozilla 
.org/projects/venkman), but the odds of 
your FireFox code porting to Explorer, 
which has no debugging support at all, 
are small. At least it's a start, though. 

If you don't know it already, you'll also 
have to learn JavaScript at a nontrivial 
level to do any AJAX programming. 
There are, of course, a billion intro-to- 
JavaScript books and online tutorials. 
(There's a reasonably good tutorial with a 
great online reference at www.w3schools 
.com/js/default.asp.) JavaScript books 
that focus on AJAX are just now appear- 
ing. I'll report on them as they come 
across my desk. 

The real issue with AJAX, at least for 
the moment, is that it's just too hard to do. 
I really don't want to become a JavaScript 
programmer. For the technology to really 
become viable, then, a lot of work needs 
to be done. In particular, we need a Java 
framework that provides a stock set of 
platform-independent JavaScript controls 
that we can just cut and paste into the 
HTML, and on the other side, we need a 
standardized UI framework that hides all 
the servlet programming from our appli- 
cations. Let's hope that, over time, some- 
thing reasonable will emerge. I 

Allen Holub is an architect, consultant 
and instructor in C/C++, Java and OO 
Design. Reach him at www.holuh.com. 



Visual Studio 2005: Which Edition? 



The November launch of Microsoft's 
Visual Studio 2005 Team System 
marked a new epoch in development tools 
for the company. Previously, its IDE 
placed the principal emphasis on develop- 
ment. Designing interfaces, cutting code 
and debugging were all well-supported 
features whose implementation was wide- 
ly admired and, for non-Java client-orient- 
ed developers, universally used. The new 
Visual Studio Team System, however, 
integrates substantially more functionality 
previously the province of third parties. 

Principal among these features are 
architecting, modeling and testing — all 
within an environment that tends toward 
collaboration rather than favoring the 
individual developer. It is hard to recall a 
more substantial increase in functionality 
in a single product release than Team 
System. However, a commensurate jump 
in pricing is associated with this release. 
As a result, choosing wisely which edition 
to use is now fairly important. 

The editions of Team System are cen- 
tered around three roles: architect, devel- 
oper, tester. In previous editions of Visual 
Studio, the label "architect" pointed to 
the most comprehensive edition of the 
product and, as such, was a common 
favorite for many developers, especially 
senior technical staff. With Team System, 
this arrangement is no longer true. The 



architect role contains unique technology 
that enables the user to define the appli- 
cation's requirements and to validate the 
software against company policies and, 
especially, against the intended deploy- 
ment architecture. 

So, Microsoft has restored the term 
"architect" to its narrow meaning and 
removed the previous conno- 
tation of liber-programmer. 
(The equivalent of the previ- 
ous top-of-the-line tool suite 
is the expensive Visual Studio 
Team Suite with a premium 
MSDN online subscription.) 

The edition for software 
testers is narrowly focused on 
testers. It provides support 
for load testing, Web testing 
and other forms of automated 
and semi-automated validation of func- 
tionality, and it bundles test-case man- 
agement tools. This edition is a good 
testing tool set, but it's not as far-reach- 
ing as many of today's third-party prod- 
ucts, notably those in Compuware's 
DevPartner product line. 

The developer edition consists of the 
IDE plus code analysis tools and is tar- 
geted at programmers who are focused 
on cutting code and building products 
but who need a collaborative environ- 
ment within which to work. It offers unit 



Integration Watch 




testing capabilities, but it lacks the 
remaining validation features of the 
tester edition. In other words, these two 
editions are parallel, not hierarchical. 

Below these Team Editions are the 
professional edition of Visual Studio, 
which looks most like a pure rev of the 
Visual Studio .NET 2003 IDE. And 
below it are the various 
Express editions, which are 
single-language versions of 
the IDE. A SQL 2005 Express 
edition is also available. These 
Express editions were origi- 
nally priced at US$49 each, 
but Microsoft recently began 
offering them for free (from 
msdn.microsoft.com/vstudio 
/express/default.aspx). This 
promotion is scheduled to 
last until late 2006. 

Which version to choose is an apt and 
important question. Richard Hale Shaw, 
who has lectured on Windows develop- 
ment for years, believes most developers 
should buy the professional edition and 
a premium subscription to MSDN. This 
combination includes a license to deploy 
Team System (the foundation layer, 
which provides most of the collaborative 
functionality). This approach works well 
if you already have tools in place for unit 
testing and code coverage and don't 



need or want to buy more-expensive 
versions of Team System to have them 
integrated by Microsoft into the IDE. 

I have been using Shaw's recommend- 
ed combination for several months and 
find that I like the upgrades to the Visual 
Studio IDE for C++ development. I am 
told by associates that improvements 
for the .NET languages are equally useful. 
However, as previous columns of mine 
have pointed out, the IDE could easily 
have been made much better had 
Microsoft put more resources into it. 
The pure IDE is incrementally better — 
enough to upgrade, but not enough to 
rave about. The compilers could have 
been improved as well, but were not — 
save for emitting code for Windows x64. 

The upshot is that the Team Editions 
make most sense for a few select roles in 
the enterprise for which corresponding 
tools from third-party vendors have not 
already been purchased. The Team Edi- 
tions also make sense for small shops 
that want one developer seat of all the 
needed tools — testing, code coverage, 
code analysis — in a single, integrated 
package. For everyone else who has not 
settled on a selection, consider Micro- 
soft's comparatively generous 180-day 
test period for evaluation. Like Shaw, I 
think most readers will find their needs 
met with the professional edition and 
the MSDN subscription. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. 



34 



INDUSTRY 



. Software Development Times . February 1, 2006 . 



www.sdtimes.com 



Process Framework's Process Has Begun 



Industry Watch 



Web services, and the service-orient- 
ed architectures that are springing 
up to support them, have begun to 
change the landscape of software devel- 
opment. 

Companies, emboldened by success- 
ful internal implementations of Web ser- 
vices, are reaching out to customers and 
clients with their software, exposing 
what they once thought of as their crown 
jewels — applications and cer- 
tain data — in a more far- 
reaching way 

However, for business 
applications, it's not enough to 
simply expose a CICS transac- 
tion, or another bit of exe- 
cutable code, in an isolated 
way Even with the attached 
metadata available to provide 
some understanding as to 
what the Web service is and 
does, developers need to have more 
context to truly begin to link up systems 
via Web services. 

The missing key to this point has 
been process. 

But that is changing, as the industry 
consortium Object Management 
Group works to refine the Software 
Process Engineering Metamodel 
(SPEM), which is designed to allow the 
exchange of process models — whether 
they be from a heavyweight methodol- 
ogy like the Rational Unified Process 
or one of the agile methodologies. 
Also, IBM is leading up a project at the 
Eclipse Foundation to create a free, 
open process. Work and debate on the 
Eclipse Process Framework already 
has begun. 




Bjorn Gustaffson, architect of the 
RUP toolkit at IBM Rational before 
founding project management company 
Good Software, said, "We're starting to 
understand the laws of nature around 
software. Process is the way to capture it 
and do it again. It's taken different forms 
over the years." 

Good Software makes the Project- 
Koach project management software, 
which has embedded in it a 
feature called ProcessKoach 
for the creation of process 
models. "There's a different 
landscape today," Gustaffson 
said. "Projects move much 
more quickly. Our solution is 
process-empowered. You can 
instrument ProjectKoach with 
the process of your choice." 

But process, Gustaffson 
noted, "has a negative con- 
in the software development 
Many developers believe 
having to adhere to a development 
process is akin to coding with one hand 
tied behind their backs — it's too confin- 
ing and restrictive, and takes away 
options when it comes to finding ways 
around and through problems. 

Without process, Gustaffson argues, 
the things that are done well during 
development are more difficult to 
repeat, forcing organizations either to 
document, which often is done poorly 
or not done at all, or to try to rely on 
memory to repeat a success in the next 
project. 

SPEM, he said, could enable the next 
logical step in Web services — the shar- 
ing of process metamodels, although he 



acknowledged, "I haven't seen much 
process exchange happening." 

It's clear that the industry wants this 
to happen, though. Work is going on at 
the Eclipse Foundation to create a 
process engineering framework. In 
December, the organization approved 
the work as a technology project, led by 
IBM. There is some debate going on as 
to whether or not that project should be 
based on SPEM 1.1 (version 2.0 is not 
expected to be even a stable proposal 
until March, and then it could take as 
long as two years before it becomes a 
final OMG recommendation). 

IBM is suggesting basing the 
Eclipse Process Framework effort on 
its proprietary Unified Method Archi- 
tecture — a metamodel that IBM's Per 
Kroll called an evolution of SPEM 1.1 
that is "close to the SPEM 2.0." Mean- 
while, SPEM 2.0 co-submitter Osellus 
wants EPF to adhere to SPEM 1.1, 
which Kroll said is flawed and might 
not be ready to be implemented upon 
for years. 

Regardless of the tack they ultimate- 
ly take, the effort is an important one. 
Once architects and development teams 
are able to share process models, the 
job of creating transactional applica- 
tions will be that much easier, as teams 
will be able to recreate the successes of 
other projects by using steps that have 
been proven to work. And that is a 
change in the landscape that should 
help lift the entire practice of software 
development. I 

David Rubinstein is editor-in-chief of 
SD Times. 
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CA, formerly called Computer Associates, has announced it plans to acquire Wily 
Technology, an application management solutions company, for US$375 million 
in cash. The acquisition is the latest in a recent series of pickups going back to 
last year that CA said it would make to get back on the growth track. CA said Wily 
would immediately add about $72 million to the company's 2007 bottom line. 
After the transaction is completed, Wily will become a division within CA's Enter- 
prise Systems Management business unit. CA said it expects to retain most of 
Wily's employees, who number around 260 .. . Mercury announced it will 
acquire Systinet Corp. for US$105 million in cash to bolster its SOA offering. The 
announcement was made the same day as Systinet's release of a new SOA gov- 
ernance platform, code-named Blizzard. Tony Zingale, chief executive officer at 
Mercury, said in a statement: "Systinet's technology and deep expertise in SOA 
combined with Mercury's strong BTO market leadership introduces powerful 
product synergies and the ability to address a broader set of customer opportu- 
nities in the fast growing SOA market." The acquisition is expected to be com- 
plete sometime before the end of Q1 2006. Mercury cited the Systinet Registry 
and Systinet Policy Manager as its two primary gains in the acquisition ... In 
an all-cash deal valued at about US$56 million, cell-phone chip manufacturing 
giant Qualcomm has acquired Berkana Wireless, a fabless semiconductor com- 
pany based in Silicon Valley. Berkana makes complementary metal oxide semi- 
conductors and radio frequency integrated circuits for the wireless industry. 
Qualcomm estimates that it will incur an additional one-time charge of approxi- 
mately $10 million for in-process research and development . . . Numerex has 
acquired Airdesk. The companies formerly competed in the area of machine-to- 



machine wireless communications technologies, which includes vertical applica- 
tions such as those for fleet management, security, utilities, inventory control, 
vending, health care and point-of-sale terminals. The transaction is valued at 
about US$4 million . . . Axway Software, a wholly owned subsidiary of Sopra 
Group, acquired 100 percent of Cyclone Commerce. The products of Cyclone will 
be maintained and integrated by an updated version of Axway's XIP integration 
platform. Clients will benefit from expanded offerings and services offered by 
both Axway and Cyclone. Financial terms were not disclosed. 

EARNINGS: The SCO Group, provider of Unix software, announced results 
for its fiscal 2005 fourth quarter. Revenue for the three months was US$8.52 mil- 
lion, down from $10.07 million for the comparable quarter of the previous year. 
The net loss was 19 cents per diluted common share, compared with a net loss 
last year of 37 cents per diluted share. Revenue for the year was $36 million, 
compared with 2004 revenue of $42.8 million. For year-end 2005, the net loss 
was $10.72 million, or 60 cents per diluted common share, compared with a net 
loss of $16.2 million, or $1.07 per diluted share . . . Intraware, provider of elec- 
tronics software and license delivery and management solutions, reported that 
revenue for the fiscal 2006 third quarter was US$2.5 million, compared with $3.1 
million in total revenue for the immediately preceding quarter. Net loss was 
$800,000, compared with a net loss of $200,000 in the immediately preceding 
quarter and a net loss of $800,000 in the year-earlier quarter. Third-quarter fis- 
cal year 2006 net loss per share was 13 cents, compared with a net loss of 13 
cents per share from the year-earlier quarter. I 



CALENDAR OF EVENTS 



Developer 
Relations Conference 

San Francisco 
EVANS DATA 

www.evansdata.com/drc2 



Feb. 6-7 



Software Security Summit Feb. 6-8 

San Diego 
BZ MEDIA 

www.S-3con.com 



RSA Conference 

San Jose 
RSA SECURITY 

2005.rsaconference.com/us/C4P06 



Feb. 13-17 



Web Services/ Feb. 27 

SOA on Wall Street 

New York 

LIGHTHOUSE PARTNERS & FLAGG MANAGEMENT 

www.webservicesonwallstreet.com 



SHARE 


March 5-10 


Seattle 




SHARE 




www.share.org 




Business 


March 6-8 


Intelligence Summit 




Chicago 




GARTNER 




www.gartner.com/2_events/conferences/bi4.jsp 


Emerging Technology 


March 6-9 


Conference 




San Diego 




O'REILLY MEDIA 




conferences.oreillynet.com 




Intel Developer 


March 7-9 


Forum Spring 




San Francisco 




INTEL 




www.intel.com/idf/us/spring2006 




SD West 2006 


March 13-17 


Santa Clara 




CMP MEDIA 




www.sdexpo.com 




BrainShare 2006 


March 19-24 


Salt Lake City 




NOVELL 




www.novell.com/brainshare 




EclipseCon 


March 20-23 


Santa Clara 




ECLIPSE FOUNDATION 




www.eclipsecon.org/2006/Home.do 




Game Developers 


March 20-24 


Conference 




San Jose 




CMP MEDIA 




www.gdconf.com 




LinuxWorld 


April 3-6 


Conference & Expo 




Boston 




IDG WORLD EXPO 




www.linuxworldexpo.com/live/12 




Embedded Systems 


April 3-7 


Conference Silicon Valley 


San Jose 




CMP MEDIA 




www.esconline.com/sv 





International Conference April 3-7 
On Software Process Improvement 

Orlando, Fla. 

INTERNATIONAL INSTITUTE FOR SOFTWARE 

PROCESS 

www.icspi.com 

For a more complete calendar of U.S. software devel- 
opment events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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Perforce. 

The fast SCM system. 



For developers who don't like to wait 





Perforce 

SOFTWARE 



Download a free copy of Perforce, no questions asked, from 
www.perforce.com. Free technical support is available 
throughout your evaluation- 
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Ship Software OnTime 
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ONTIME2006 

The Fast & Scaleable Team Solution for... 

Defect & issue Tracking ■ Feature & Grange Tracking • Task & To-do List Tracking * Helpdesk Ticket Tracking 

Qrifime is the market-leading project, defect and feature management tool for agile software development and test teams. 
OnTime facilitates tracking, analyzing and trending team- based software development efforts in an intuitive and powerful user 
interface. A fully customizable Ul, powerful workflow, process enforcements, two-way email communications and custom reports 
combine to help software development teams ship software on- time! 

Available for Windows, Web & VS.NET 2003/2005 



OnTime 2006 Professional Edition 



OnTime 2006 Small Team Edition 








ONTIME.. 
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For Teams of 1 to 1 ,DuO Members 
From $149 Per User 
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ONTIME 

]4|ii r«a.n lilV" 



8006530024 




software far software development" 

www.axosoft.com 



* For Teams up to 10 Members 

* Free Single -User installations 

* &495 for 5-Team Members 

* S995 for 1 O-Team Members 



Only $495 for up to 5 Users • Only $995 for up to 1 Users 

Free Single-User Installations 



